W3C home > Mailing lists > Public > www-international@w3.org > January to March 2013

Re: Feedback about the BOM article

From: Henri Sivonen <hsivonen@iki.fi>
Date: Tue, 22 Jan 2013 16:08:31 +0200
Message-ID: <CAJQvAuf0EkrqsK+-sJOsSMX6HtpJ7_qmvOYoMg_G1OFxNW4Rjg@mail.gmail.com>
To: www-international@w3.org
On Tue, Dec 18, 2012 at 7:54 PM, Richard Ishida <ishida@w3.org> wrote:
> On 10/12/2012 16:16, Henri Sivonen wrote:
> I've been thinking for a while of doing just what you suggest, so I used
> some of your text. Thanks!

Thank you.

>> “since it is impossible to override manually”
>> This is currently untrue in Firefox and Opera at least.
> Yes. Deleted.

Now true in Firefox Nightly. :-) (Still not always true across all
possible browsers, so leaving this unmentioned makes sense.)

On Mon, Dec 10, 2012 at 6:53 PM, John Cowan <cowan@mercury.ccil.org> wrote:
> Henri Sivonen scripsit:
>> To drive this point home, maybe mention that serving user-supplied
>> content as UTF-16 is an XSS risk:
>> http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm
>> (Sure, browsers should disable the encoding menu to mitigate that
>> attack, but for the time being, the attack is possible.)
> That's too drastic an action.

Firefox Nightly now defends against this attack. (The menu doesn't
appear disabled yet, though, when the menu has no effect. That part is
still pending review.)

Henri Sivonen
Received on Tuesday, 22 January 2013 14:08:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 22:04:32 UTC