Re: Feedback about the BOM article

John Cowan, Mon, 10 Dec 2012 11:53:43 -0500:
> Henri Sivonen scripsit:
> 
>> To drive this point home, maybe mention that serving user-supplied
>> content as UTF-16 is an XSS risk:
>> 
http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm
> 
> Chrome 24.0.1312.35 beta-m on Windows does not show mojibake, doesn't let
> me change the encoding, and if XSS is happening, I'm not seeing anything.
> Google Translate renders the text as "Po fill up Yan 㹴 indignant King
> tinkling of gems ∨ radiolabeling ≓ 㬩 centering Yuewei Rose ~".

In Chrome 23 on Mac, then there is mojibake, and it looks like so: 猼牣
灩㹴愠敬瑲∨単≓㬩⼼捳楲瑰‾. A XSS message is displayed in Firefox 17 if 
one manually change the encoding. Thus is sounds like my copy of Chrome 
23 and Google Translate *agree* about the encoding, whereas something 
causes your copy of Chrome 24 to see something else.

> On the other hand, <http://www.r6rs.org/final/html/r6rs/r6rs-Z-H-2.html>,
> which has no header or <meta> encoding, renders in Chrome as UTF-16LE
> and generates Chinese mojibake.  It looks fine in Firefox 17.0.1 and IE7.
> So the fact that Chrome won't let me change the encoding makes that page,
> and in fact other table-of-contents pages generated by pagetex (a LaTeX
> to HTML converter), unusable in that browser.

Did you try Google Translate on that page?

In Chrome 23, then there is no Mojibake for that page - not on my 
computer anyway.
-- 
leif halvard silli

Received on Monday, 10 December 2012 17:31:26 UTC