- From: Philip Taylor <excors+whatwg@gmail.com>
- Date: Thu, 22 Oct 2009 22:45:26 +0100
On Thu, Oct 22, 2009 at 9:23 PM, ?istein E. Andersen <liszt at coq.no> wrote: > On 22 Oct 2009, at 17:15, NARUSE, Yui wrote: > >> Finally, Why ISO 2022 series is discouraged is not clear. > > We agree on this point. The string "????" encoded as ISO-2022-KR is the bytes 0e 3c 73 63 72 69 70 74 3e. A UA that doesn't support ISO-2022-KR (e.g. Chrome, when I last checked) will decode it as Windows-1252 and get the string "<script>", which is bad. So a site that uses ISO-2022-KR is very likely to expose some users to XSS attacks, which seems like a good reason to discourage that encoding. The same applies to other ISO-2022 encodings. -- Philip Taylor excors at gmail.com
Received on Thursday, 22 October 2009 14:45:26 UTC