W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: image/svg+xml;charset=""

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 24 Nov 2004 16:56:00 +0100
To: Chris Lilley <chris@w3.org>
Cc: www-svg@w3.org
Message-ID: <41afac30.212906156@smtp.bjoern.hoehrmann.de>

* Chris Lilley wrote:
>Can you explain the XSS attack and charset in more detail? What is the
>attack, does a default charset actually help prevent it or is that
>mythology, how should people actually guard against such attacks.

See for example

  * http://www.cert.org/advisories/CA-2000-02.html
  * http://www.cert.org/tech_tips/malicious_code_mitigation.html

If a web site allows to insert foreign code, you might be able to inject
specific octet sequences that affect encoding detection heuristics, for
example, injecting Bj+APY-rn might cause Internet Explorer to consider
the document UTF-7 encoded; if you inject +ADw-script+AD4... you can by-
pass code that attempts to filter script elements or escape all < chars
or makes similar attempts to protect against such attacks.
Received on Wednesday, 24 November 2004 15:56:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:14:52 UTC