W3C home > Mailing lists > Public > www-style@w3.org > August 2008

Re: [css-mobile] @charset / typo

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 07 Aug 2008 14:35:11 -0400
Message-ID: <489B405F.1020201@mit.edu>
To: Peter Linss <peter.linss@hp.com>
CC: Anne van Kesteren <annevk@opera.com>, Jens Meiert <jens@meiert.com>, "www-style@w3.org" <www-style@w3.org>

Peter Linss wrote:
> That frightens me. If there's a security hole from incorrectly detecting 
> encoding, couldn't it be exploited by explicitly declaring the wrong 
> encoding?

The security holes come in when you have filter software that doesn't 
detect things the same way as the software it's trying to protect from 
malicious content.

For example, if I'm trying to filter out certain "dangerous" parts of a 
stylesheet, say -moz-binding, but the thing that ends up parsing the 
stylesheet doesn't use the same encoding I used, it might see text that 
I didn't think said "-moz-binding" as saying "-moz-binding".

The usual consequences of failures of this sort are various 
content/script/etc injection vulnerabilities.

-Boris
Received on Thursday, 7 August 2008 18:36:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:55:11 GMT