- From: Henri Sivonen <notifications@github.com>
- Date: Mon, 03 Jul 2017 06:29:40 -0700
- To: whatwg/encoding <encoding@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 3 July 2017 13:30:12 UTC
> It is my understanding that the reason is to prevent XSS attacks. Consider "<\u001b(B\u001b$Bscript" for example. Why is that worth protecting against if we can't protect against "<\x1b(Js\x1b(Bcript"? That is, if we can't generate U+FFFD for all of these, is it worth generating it for any of these? * Escape immediately followed by another escape. * Transition from the ASCII state to the ASCII state. * Useless transitions between the ASCII state and the Roman state. The last one seems the hardest to prevent without potentially breaking some legitimate inputs. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/encoding/issues/115#issuecomment-312645847
Received on Monday, 3 July 2017 13:30:12 UTC