* Chris Lilley wrote: >Can you explain the XSS attack and charset in more detail? What is the >attack, does a default charset actually help prevent it or is that >mythology, how should people actually guard against such attacks. See for example * http://www.cert.org/advisories/CA-2000-02.html * http://www.cert.org/tech_tips/malicious_code_mitigation.html If a web site allows to insert foreign code, you might be able to inject specific octet sequences that affect encoding detection heuristics, for example, injecting Bj+APY-rn might cause Internet Explorer to consider the document UTF-7 encoded; if you inject +ADw-script+AD4... you can by- pass code that attempts to filter script elements or escape all < chars or makes similar attempts to protect against such attacks.Received on Wednesday, 24 November 2004 15:56:31 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 23:52:58 GMT