- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 15 Dec 2015 09:45:21 -0800
- To: whatwg/encoding <encoding@noreply.github.com>
Received on Tuesday, 15 December 2015 17:45:52 UTC
Thank you @t-tera for the tests. Per the specification IE and Firefox are correct, Chrome does not seem like sufficient defense against the attack, and while Safari defends against the attack, it does not defend against the attack of verifying a string against XSS and then passing it to the encoder as @vyv03354 points out. So either we need all browsers to agree on handling these code points in a new special manner for this encoding as suggested by @t-tera comment above or we accept this XSS risk and recommend folks against using this encoding (as we do already). @inexorabletash @hsivonen @jungshik, ideas? --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/encoding/issues/15#issuecomment-164836867
Received on Tuesday, 15 December 2015 17:45:52 UTC