- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 15 Dec 2006 13:33:09 +0100
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: W3C TAG <www-tag@w3.org>
* Roy T. Fielding wrote: >Over the years I have seen a number of security exploits that make >use of broken browsers that sniff character encodings in combination >with UTF-7 encoded tags or javascript commands. I have never actually >seen anyone use UTF-7 for anything legitimate (other than testing). >I know this won't solve any problems for deployed clients, and >wouldn't be an issue at all if servers used the same algorithm for >escaping characters that clients used to interpret them, but in the >long term it will simplify some checks for XSS attacks and I don't >think it will harm the Web. That's a rather confused way of presenting this issue. It has nothing to do with any kind of escaping algorithms or cross-site scripting checks. "Servers" that do not declare the character encoding of the content they serve, or that fail to ensure that the content matches the encoding they do declare, are inherently vulnerable to attacks. All these servers have to do to prevent these UTF-7 based attacks is to declare the encoding in the HTTP header or using some equivalent mechanism. The "servers" are broken if they don't, not the browsers. Besides, none of the mainstream browsers auto-detect UTF-7 in their latest versions, so there is hardly any issue here. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 15 December 2006 12:33:15 UTC