<ronan@roasp.com> wrote in message news:39957.127.0.0.1.1101313599.squirrel@127.0.0.1... > XSS does not pose a risk with respect to encoding tricks. Zero. None. If > the encoding of a snippet is different, the parser will not recognize the > wrongly encoded content and just return the litteral codes, causing the > XSS trick to fail. This is incorrect, please read up on your CERT advisories, Bjoern's already given a good example. > After all, there is no reason why SVG content would be exempt > from the same due dilligence that HTML content requires to prevent xss > exploits. It relies on the character encoding being known, this has already been highlighted in the thread by Robin, whereby you have the server admins requiring a charset parameter exactly because of XSS problems. Jim.Received on Wednesday, 24 November 2004 21:48:58 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 4 September 2006 18:11:31 GMT