W3C home > Mailing lists > Public > www-international@w3.org > October to December 2006

Re: ban the use and implementation of UTF-7

From: Deborah Goldsmith <goldsmit@apple.com>
Date: Thu, 14 Dec 2006 19:29:28 -0800
Message-Id: <2FA89FCA-8881-4C45-A05A-F78E9333FBFA@apple.com>
Cc: Misha Wolf <Misha.Wolf@reuters.com>, www-international@w3.org, ietf-charsets@iana.org, Michel Suignard <michelsu@microsoft.com>
To: Mark Davis <mark.davis@icu-project.org>
Speaking as the other author, I agree. :-)

Deborah

On Dec 14, 2006, at 4:39 PM, Mark Davis wrote:

> Speaking as one of the authors, I think it is clear that UTF-7  
> should only be supported where really necessary; only in  
> environments that are not 8-bit clean. It was originally designed  
> for email, but in this day and age, 8-bit clean email transport is  
> really not much of an issue.
>
> Mark
>
> On 12/14/06, Misha Wolf <Misha.Wolf@reuters.com> wrote:
>
> fyi
>
>
> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> Of Roy T. Fielding
> Sent: 14 December 2006 22:13
> To: W3C TAG
> Subject: ban the use and implementation of UTF-7
>
>
> Over the years I have seen a number of security exploits that make
> use of broken browsers that sniff character encodings in combination
> with UTF-7 encoded tags or javascript commands.  I have never actually
> seen anyone use UTF-7 for anything legitimate (other than testing).
>
> Is there some reason why WWW clients need to support UTF-7?
>
> It seems completely unnecessary given the now ubiquitous use of 8-bit
> clean transports and the presence of UTF-8, which IIRC was defined
> long after UTF-7.  However, the wider community may be aware of
> some reason why browsers should support it, so I'd like to hear
> your comments.
>
> If there is no need for UTF-7, I'd like the TAG to consider it an
> issue for the sake of asking browsers to remove its implementation
> and banning its use by servers.
>
> I know this won't solve any problems for deployed clients, and
> wouldn't be an issue at all if servers used the same algorithm for
> escaping characters that clients used to interpret them, but in the
> long term it will simplify some checks for XSS attacks and I don't
> think it will harm the Web.  That is, unless there is some significant
> body of content out there that is encoded as UTF-7.
>
> Cheers,
>
> Roy T. Fielding                            <http://roy.gbiv.com/>
> Chief Scientist, Day Software              < http://www.day.com/>
>
>
>
>
> This email was sent to you by Reuters, the global news and  
> information company.
> To find out more about Reuters visit www.about.reuters.com
>
> Any views expressed in this message are those of the individual  
> sender, except where the sender specifically states them to be the  
> views of Reuters Ltd.
>
>
>
Received on Friday, 15 December 2006 07:59:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:09 GMT