W3C home > Mailing lists > Public > www-international@w3.org > January to March 2013

Re: Feedback about the BOM article

From: Henri Sivonen <hsivonen@iki.fi>
Date: Tue, 22 Jan 2013 16:08:31 +0200
Message-ID: <CAJQvAuf0EkrqsK+-sJOsSMX6HtpJ7_qmvOYoMg_G1OFxNW4Rjg@mail.gmail.com>
To: www-international@w3.org
On Tue, Dec 18, 2012 at 7:54 PM, Richard Ishida <ishida@w3.org> wrote:
> On 10/12/2012 16:16, Henri Sivonen wrote:
> I've been thinking for a while of doing just what you suggest, so I used
> some of your text. Thanks!

Thank you.

>> “since it is impossible to override manually”
>>
>> This is currently untrue in Firefox and Opera at least.
>>
> Yes. Deleted.

Now true in Firefox Nightly. :-) (Still not always true across all
possible browsers, so leaving this unmentioned makes sense.)

On Mon, Dec 10, 2012 at 6:53 PM, John Cowan <cowan@mercury.ccil.org> wrote:
> Henri Sivonen scripsit:
>
>> To drive this point home, maybe mention that serving user-supplied
>> content as UTF-16 is an XSS risk:
>> http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm
...
>> (Sure, browsers should disable the encoding menu to mitigate that
>> attack, but for the time being, the attack is possible.)
>
> That's too drastic an action.

Firefox Nightly now defends against this attack. (The menu doesn't
appear disabled yet, though, when the menu has no effect. That part is
still pending review.)

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Tuesday, 22 January 2013 14:08:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 January 2013 14:09:00 GMT