- From: t-tera <notifications@github.com>
- Date: Fri, 13 Nov 2015 00:14:08 -0800
- To: whatwg/encoding <encoding@noreply.github.com>
Received on Friday, 13 November 2015 08:14:40 UTC
I reported this issue with server-side apps in mind. Suppose a server app receive a unicode string like ESC, $, B, 1, 2 from somewhere. The app embed the string in an HTML, then encodes the HTML using ISO-2022-JP. According to the current spec, the resulting HTML would be: <input type="hidden" name="foo" value="[0x1B]$B12">... The browser tries to decode 12">... as a JIS encoded part. This breaks the trailing "> and can possibly lead to an XSS bug. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/encoding/issues/15#issuecomment-156359113
Received on Friday, 13 November 2015 08:14:40 UTC