[whatwg] base64 entities

On 8/26/10 6:45 PM, Adam Barth wrote:
>> Note that this issue means that using atob or btoa for dealing with this is
>> a huge pain if non-ASCII chars are involved, since those take and return
>> byte arrays masquerading as JS strings, not actual Unicode strings.
>
> I'm slightly confused how that works.  How do you represent arbitrary
> binary data as characters?

You mean how do atob/btoa take their binary data in JS-land?  You take 
your byte array, and convert it to a sequence of two-byte units by 
setting the high byte to 0.  This sequence of two-byte units is a JS string.

> Another option is to provide a base64
> encoder/decoder that uses UTF8 to encode/decode the binary.

Not sure what the exact proposal here is.

> Because<script>  does not decode entities in HTML, the attacker will
> be limited to what he or she can do with alphanumeric characters

OK.  I had misunderstood what you were proposing for <script> here.  The 
point is that inside <script> this base64 thing will only be useful for 
setting innerHTML, right?

-Boris

Received on Thursday, 26 August 2010 15:52:21 UTC