W3C home > Mailing lists > Public > www-international@w3.org > October to December 2012

Re: Feedback about the BOM article

From: Henri Sivonen <hsivonen@iki.fi>
Date: Mon, 10 Dec 2012 19:54:06 +0200
Message-ID: <CAJQvAueyiw01Y42GSq1yD_0CWRYDpY1kL4AukAsmztLRYEgiqQ@mail.gmail.com>
To: www-international@w3.org
On Mon, Dec 10, 2012 at 6:53 PM, John Cowan <cowan@mercury.ccil.org> wrote:
> Henri Sivonen scripsit:
>
>> To drive this point home, maybe mention that serving user-supplied
>> content as UTF-16 is an XSS risk:
>> http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm
>
> Chrome 24.0.1312.35 beta-m on Windows does not show mojibake, doesn't let
> me change the encoding, and if XSS is happening, I'm not seeing anything.
> Google Translate renders the text as "Po fill up Yan 㹴 indignant King
> tinkling of gems ∨ radiolabeling ≓ 㬩 centering Yuewei Rose ~".

You have probably configured Chrome to automatically translate Chinese
to English using Google Translate. You should see mojibake if you have
translation disabled in Chrome.

> On the other hand, <http://www.r6rs.org/final/html/r6rs/r6rs-Z-H-2.html>,
> which has no header or <meta> encoding, renders in Chrome as UTF-16LE
> and generates Chinese mojibake.

Works for me in Chrome 24 on Linux.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Monday, 10 December 2012 17:54:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 December 2012 17:54:36 GMT