W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: image/svg+xml;charset=''

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 24 Nov 2004 17:54:09 +0100
To: ronan@roasp.com
Cc: www-svg@w3.org
Message-ID: <41b3b852.216012640@smtp.bjoern.hoehrmann.de>

* ronan@roasp.com wrote:
>Tricks with poorly formed content do not apply to XML, which is much
>stricter than sgml. This is really not a problem any more as the parsers
>simply reject malformed content.

Nothing stops SGML or HTML processors from treating ill-formed content
the same way as XML processors treat ill-formed content.

>XSS does not pose a risk with respect to encoding tricks. Zero. None. If
>the encoding of a snippet is different, the parser will not recognize the
>wrongly encoded content and just return the litteral codes, causing the
>XSS trick to fail.

Consider

  Content-Type: image/svg+xml;charset=utf-8

  <?xml version="1.0" encoding="utf-7"?>
  ...
  <a>+ADw-script+AD4...script code...+ADw-/script+AD4</a>
  ...

If the charset parameter is ignored you suddenly have

  ...
  <a><script>...script code...</script></a>
  ...

Regardless of whether the charset parameter is honored there is no error
in the document.
Received on Wednesday, 24 November 2004 16:54:41 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:14:52 UTC