W3C home > Mailing lists > Public > www-international@w3.org > October to December 2006

FW: ban the use and implementation of UTF-7

From: Misha Wolf <Misha.Wolf@reuters.com>
Date: Thu, 14 Dec 2006 22:18:02 +0000
To: www-international@w3.org, ietf-charsets@iana.org
Message-id: <A29ADE959C70A1449470AA9A212F5D8003D8082D@LONSMSXM06.emea.ime.reuters.com>


-----Original Message-----
From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
Of Roy T. Fielding
Sent: 14 December 2006 22:13
Subject: ban the use and implementation of UTF-7

Over the years I have seen a number of security exploits that make
use of broken browsers that sniff character encodings in combination
with UTF-7 encoded tags or javascript commands.  I have never actually
seen anyone use UTF-7 for anything legitimate (other than testing).

Is there some reason why WWW clients need to support UTF-7?

It seems completely unnecessary given the now ubiquitous use of 8-bit
clean transports and the presence of UTF-8, which IIRC was defined
long after UTF-7.  However, the wider community may be aware of
some reason why browsers should support it, so I'd like to hear
your comments.

If there is no need for UTF-7, I'd like the TAG to consider it an
issue for the sake of asking browsers to remove its implementation
and banning its use by servers.

I know this won't solve any problems for deployed clients, and
wouldn't be an issue at all if servers used the same algorithm for
escaping characters that clients used to interpret them, but in the
long term it will simplify some checks for XSS attacks and I don't
think it will harm the Web.  That is, unless there is some significant
body of content out there that is encoded as UTF-7.


Roy T. Fielding                            <http://roy.gbiv.com/>
Chief Scientist, Day Software              <http://www.day.com/>

This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Received on Thursday, 14 December 2006 22:18:26 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 21 September 2016 22:37:27 UTC