W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2009

[whatwg] Superset encodings [Re: ISO-8859-* and the C1 control range]

From: Philip Taylor <excors+whatwg@gmail.com>
Date: Thu, 22 Oct 2009 22:45:26 +0100
Message-ID: <ea09c0d10910221445h6162f162m55ac08711a7cfe81@mail.gmail.com>
On Thu, Oct 22, 2009 at 9:23 PM, ?istein E. Andersen <liszt at coq.no> wrote:
> On 22 Oct 2009, at 17:15, NARUSE, Yui wrote:
>
>> Finally, Why ISO 2022 series is discouraged is not clear.
>
> We agree on this point.

The string "????" encoded as ISO-2022-KR is the bytes 0e 3c 73  63 72
69 70 74 3e. A UA that doesn't support ISO-2022-KR (e.g. Chrome, when
I last checked) will decode it as Windows-1252 and get the string
"<script>", which is bad. So a site that uses ISO-2022-KR is very
likely to expose some users to XSS attacks, which seems like a good
reason to discourage that encoding. The same applies to other ISO-2022
encodings.

-- 
Philip Taylor
excors at gmail.com
Received on Thursday, 22 October 2009 14:45:26 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:18 UTC