- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Mon, 10 Dec 2012 19:54:06 +0200
- To: www-international@w3.org
On Mon, Dec 10, 2012 at 6:53 PM, John Cowan <cowan@mercury.ccil.org> wrote: > Henri Sivonen scripsit: > >> To drive this point home, maybe mention that serving user-supplied >> content as UTF-16 is an XSS risk: >> http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm > > Chrome 24.0.1312.35 beta-m on Windows does not show mojibake, doesn't let > me change the encoding, and if XSS is happening, I'm not seeing anything. > Google Translate renders the text as "Po fill up Yan 㹴 indignant King > tinkling of gems ∨ radiolabeling ≓ 㬩 centering Yuewei Rose ~". You have probably configured Chrome to automatically translate Chinese to English using Google Translate. You should see mojibake if you have translation disabled in Chrome. > On the other hand, <http://www.r6rs.org/final/html/r6rs/r6rs-Z-H-2.html>, > which has no header or <meta> encoding, renders in Chrome as UTF-16LE > and generates Chinese mojibake. Works for me in Chrome 24 on Linux. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Monday, 10 December 2012 17:54:35 UTC