- From: Henri Sivonen <notifications@github.com>
- Date: Mon, 25 Jan 2016 03:57:18 -0800
- To: whatwg/encoding <encoding@noreply.github.com>
Received on Monday, 25 January 2016 11:57:47 UTC
> Hmm yes, URL parsing strips C0 code points. Do you mean from the end and the start of the URL? I fail to see C0 removal within the query string. I discovered this XSS bug independently today and came here to suggest a new step "If code point is U+001B, return error with code point." between steps 2 and 3. However, if that's deemed dangerous for whatever reason, I'd be fine with "If code point is U+001B, return error with U+FFFD." --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/encoding/issues/15#issuecomment-174484334
Received on Monday, 25 January 2016 11:57:47 UTC