W3C home > Mailing lists > Public > www-international@w3.org > July to September 2008

RE: [whatwg] Is EBCDIC support needed for not breaking the Web?

From: Phillips, Addison <addison@amazon.com>
Date: Fri, 29 Aug 2008 10:16:50 -0700
To: Ian Hickson <ian@hixie.ch>, Benjamin Smedberg <bsmedberg@mozilla.com>
CC: Henri Sivonen <hsivonen@iki.fi>, Bjoern Hoehrmann <derhoermi@gmx.net>, "www-international@w3.org" <www-international@w3.org>, "public-html@w3.org WG" <public-html@w3.org>, "public-i18n-core@w3.org" <public-i18n-core@w3.org>
Message-ID: <4D25F22093241741BC1D0EEBC2DBB1DA014B4DC4B3@EX-SEA5-D.ant.amazon.com> 
Hixie wrote:

> >
> > Gecko does support UTF-7 and will continue to do so because UTF-7
> is
> > still in use as a character set for mail encoding and multi-part
> MIME
> > documents.
> 
> Would it be possible to limit this support to e-mail? Supporting
> UTF-7 on
> the Web has been the source of security bugs and really doesn't
> seem
> necessary outside of e-mail.
> 

+1

In particular, the *autodetection* of UTF-7 as an encoding in Web pages should be a "MUST NOT" in HTML5, IMHO, because that is a well-known XSS attack. Auto-detection of UTF-7 serves no other purpose in real-world Web documents. I believe there is a TAG finding to this effect. Further, the authors of the UTF-7 RFCs have expressed support for that course of action (as has the I18N WG and, I believe, the UTC).

Best Regards,

Addison

Addison Phillips
Globalization Architect -- Lab126

Internationalization is not a feature.
It is an architecture.
Received on Friday, 29 August 2008 17:17:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:18 GMT