Re: [whatwg/encoding] Concatenating two ISO-2022-JP outputs from a conforming encoder doesn't result in conforming input (#115) from Henri Sivonen on 2017-07-03 (public-webapps-github@w3.org from July 2017)

From: Henri Sivonen <notifications@github.com>
Date: Mon, 03 Jul 2017 06:29:40 -0700
To: whatwg/encoding <encoding@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/encoding/issues/115/312645847@github.com>

> It is my understanding that the reason is to prevent XSS attacks. Consider "<\u001b(B\u001b$Bscript" for example.

Why is that worth protecting against if we can't protect against "<\x1b(Js\x1b(Bcript"?

That is, if we can't generate U+FFFD for all of these, is it worth generating it for any of these?

* Escape immediately followed by another escape.
* Transition from the ASCII state to the ASCII state.
* Useless transitions between the ASCII state and the Roman state.

The last one seems the hardest to prevent without potentially breaking some legitimate inputs.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/encoding/issues/115#issuecomment-312645847

Received on Monday, 3 July 2017 13:30:12 UTC