W3C home > Mailing lists > Public > www-international@w3.org > October to December 2012

Re: Feedback about the BOM article

From: Leif Halvard Silli <xn--mlform-iua@xn--mlform-iua.no>
Date: Mon, 10 Dec 2012 18:30:53 +0100
To: John Cowan <cowan@mercury.ccil.org>
Cc: www-international@w3.org
Message-id: <20121210183053159053.08248545@xn--mlform-iua.no>
John Cowan, Mon, 10 Dec 2012 11:53:43 -0500:
> Henri Sivonen scripsit:
> 
>> To drive this point home, maybe mention that serving user-supplied
>> content as UTF-16 is an XSS risk:
>> 
http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm

> 
> Chrome 24.0.1312.35 beta-m on Windows does not show mojibake, doesn't let
> me change the encoding, and if XSS is happening, I'm not seeing anything.
> Google Translate renders the text as "Po fill up Yan 㹴 indignant King
> tinkling of gems ∨ radiolabeling ≓ 㬩 centering Yuewei Rose ~".

In Chrome 23 on Mac, then there is mojibake, and it looks like so: 猼牣
灩㹴愠敬瑲∨単≓㬩⼼捳楲瑰‾. A XSS message is displayed in Firefox 17 if 
one manually change the encoding. Thus is sounds like my copy of Chrome 
23 and Google Translate *agree* about the encoding, whereas something 
causes your copy of Chrome 24 to see something else.

> On the other hand, <http://www.r6rs.org/final/html/r6rs/r6rs-Z-H-2.html>,
> which has no header or <meta> encoding, renders in Chrome as UTF-16LE
> and generates Chinese mojibake.  It looks fine in Firefox 17.0.1 and IE7.
> So the fact that Chrome won't let me change the encoding makes that page,
> and in fact other table-of-contents pages generated by pagetex (a LaTeX
> to HTML converter), unusable in that browser.

Did you try Google Translate on that page?

In Chrome 23, then there is no Mojibake for that page - not on my 
computer anyway.
-- 
leif halvard silli
Received on Monday, 10 December 2012 17:31:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 December 2012 17:31:26 GMT