FW: ban the use and implementation of UTF-7 from Misha Wolf on 2006-12-15 (www-tag@w3.org from December 2006)

From: Misha Wolf <Misha.Wolf@reuters.com>
Date: Fri, 15 Dec 2006 07:22:50 +0000
To: www-tag@w3.org
Message-id: <A29ADE959C70A1449470AA9A212F5D8003D80852@LONSMSXM06.emea.ime.reuters.com>

fyi

________________________________

From: Deborah Goldsmith [mailto:goldsmit@apple.com] 
Sent: 15 December 2006 03:29
To: Mark Davis
Cc: Misha Wolf; www-international@w3.org; ietf-charsets@iana.org; Michel
Suignard
Subject: Re: ban the use and implementation of UTF-7


Speaking as the other author, I agree. :-) 

Deborah

On Dec 14, 2006, at 4:39 PM, Mark Davis wrote:


	Speaking as one of the authors, I think it is clear that UTF-7
should only be supported where really necessary; only in environments
that are not 8-bit clean. It was originally designed for email, but in
this day and age, 8-bit clean email transport is really not much of an
issue. 
	
	Mark
	
	
	On 12/14/06, Misha Wolf <Misha.Wolf@reuters.com> wrote: 


		fyi
		
		
		-----Original Message-----
		From: www-tag-request@w3.org
[mailto:www-tag-request@w3.org] On Behalf
		Of Roy T. Fielding 
		Sent: 14 December 2006 22:13
		To: W3C TAG
		Subject: ban the use and implementation of UTF-7
		
		
		Over the years I have seen a number of security exploits
that make
		use of broken browsers that sniff character encodings in
combination 
		with UTF-7 encoded tags or javascript commands.  I have
never actually
		seen anyone use UTF-7 for anything legitimate (other
than testing).
		
		Is there some reason why WWW clients need to support
UTF-7?
		
		It seems completely unnecessary given the now ubiquitous
use of 8-bit 
		clean transports and the presence of UTF-8, which IIRC
was defined
		long after UTF-7.  However, the wider community may be
aware of
		some reason why browsers should support it, so I'd like
to hear
		your comments. 
		
		If there is no need for UTF-7, I'd like the TAG to
consider it an
		issue for the sake of asking browsers to remove its
implementation
		and banning its use by servers.
		
		I know this won't solve any problems for deployed
clients, and 
		wouldn't be an issue at all if servers used the same
algorithm for
		escaping characters that clients used to interpret them,
but in the
		long term it will simplify some checks for XSS attacks
and I don't
		think it will harm the Web.  That is, unless there is
some significant 
		body of content out there that is encoded as UTF-7.
		
		Cheers,
		
		Roy T. Fielding
<http://roy.gbiv.com/>
		Chief Scientist, Day Software              <
http://www.day.com/>
		
		
		
		
		This email was sent to you by Reuters, the global news
and information company.
		To find out more about Reuters visit
www.about.reuters.com
		
		Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to
be the views of Reuters Ltd.
		
		
		





This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

Received on Friday, 15 December 2006 07:23:07 UTC