W3C home > Mailing lists > Public > www-style@w3.org > February 2004

Re: [CSS21] response to issue 115 (and 44)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 18 Feb 2004 18:35:14 -0500
Message-Id: <200402182335.i1INZE8K022526@no-knife.mit.edu>
To: Chris Lilley <chris@w3.org>
Cc: Bert Bos <bert@w3.org>, Tex Texin <tex@i18nguy.com>, www-style@w3.org

> Figures would be handy, but the point is well made.

Yeah... if I had figures, I would provide them. I'm basing my comments on my
experience with pages that Mozilla layout or style system bugs have been filed
on, which introduces all sorts of biases, of course...

> Could such security issues not be triggered by taking such a
> stylesheet and referencing it from a page with a suitable encoding
> that would, if applied to the stylesheet, trigger the error?

Sure.  _If_ the unicode decoder the UA uses does error recovery.  The point is
that with the rules outlined in the spec such error recovery would be necessary
less often than if the rule was to just treat everything as UTF-8 unless told
otherwise.  So having a UA _not_ do error recovery (and thus avoid the security
issues) would be more feasible...

> To clarify; the situation I would like to see is that all stylesheets
> declare what encoding they are in, preferably using an @charset rule
> so that authoring tools, which know this information, can reliably
> pass on this info in the stylesheets they write.

I think we would all love this... anything that leads to this is welcome in my
book.

Boris
-- 
"This isn't right.  This isn't even wrong."

                -- Wolfgang Pauli on a paper submitted 
                   by a physicist colleague
Received on Wednesday, 18 February 2004 18:35:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:26 GMT