W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 26 Aug 2010 18:52:21 -0400
Message-ID: <4C76F025.60902@mit.edu>
On 8/26/10 6:45 PM, Adam Barth wrote:
>> Note that this issue means that using atob or btoa for dealing with this is
>> a huge pain if non-ASCII chars are involved, since those take and return
>> byte arrays masquerading as JS strings, not actual Unicode strings.
> I'm slightly confused how that works.  How do you represent arbitrary
> binary data as characters?

You mean how do atob/btoa take their binary data in JS-land?  You take 
your byte array, and convert it to a sequence of two-byte units by 
setting the high byte to 0.  This sequence of two-byte units is a JS string.

> Another option is to provide a base64
> encoder/decoder that uses UTF8 to encode/decode the binary.

Not sure what the exact proposal here is.

> Because<script>  does not decode entities in HTML, the attacker will
> be limited to what he or she can do with alphanumeric characters

OK.  I had misunderstood what you were proposing for <script> here.  The 
point is that inside <script> this base64 thing will only be useful for 
setting innerHTML, right?

Received on Thursday, 26 August 2010 15:52:21 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:26 UTC