- From: Phillips, Addison <addison@amazon.com>
- Date: Fri, 29 Aug 2008 10:16:50 -0700
- To: Ian Hickson <ian@hixie.ch>, Benjamin Smedberg <bsmedberg@mozilla.com>
- CC: Henri Sivonen <hsivonen@iki.fi>, Bjoern Hoehrmann <derhoermi@gmx.net>, "www-international@w3.org" <www-international@w3.org>, "public-html@w3.org WG" <public-html@w3.org>, "public-i18n-core@w3.org" <public-i18n-core@w3.org>
Hixie wrote: > > > > Gecko does support UTF-7 and will continue to do so because UTF-7 > is > > still in use as a character set for mail encoding and multi-part > MIME > > documents. > > Would it be possible to limit this support to e-mail? Supporting > UTF-7 on > the Web has been the source of security bugs and really doesn't > seem > necessary outside of e-mail. > +1 In particular, the *autodetection* of UTF-7 as an encoding in Web pages should be a "MUST NOT" in HTML5, IMHO, because that is a well-known XSS attack. Auto-detection of UTF-7 serves no other purpose in real-world Web documents. I believe there is a TAG finding to this effect. Further, the authors of the UTF-7 RFCs have expressed support for that course of action (as has the I18N WG and, I believe, the UTC). Best Regards, Addison Addison Phillips Globalization Architect -- Lab126 Internationalization is not a feature. It is an architecture.
Received on Friday, 29 August 2008 17:17:47 UTC