Re: FW: ban the use and implementation of UTF-7 from Mark Davis on 2006-12-15 (www-international@w3.org from October to December 2006)

From: Mark Davis <mark.davis@icu-project.org>
Date: Thu, 14 Dec 2006 16:39:00 -0800
To: "Misha Wolf" <Misha.Wolf@reuters.com>
Cc: www-international@w3.org, ietf-charsets@iana.org, "Deborah Goldsmith" <goldsmit@apple.com>, "Michel Suignard" <michelsu@microsoft.com>
Message-ID: <30b660a20612141639j472eaf9j68408fd2867ce406@mail.gmail.com>

Speaking as one of the authors, I think it is clear that UTF-7 should only
be supported where really necessary; only in environments that are not 8-bit
clean. It was originally designed for email, but in this day and age, 8-bit
clean email transport is really not much of an issue.

Mark

On 12/14/06, Misha Wolf <Misha.Wolf@reuters.com> wrote:
>
>
> fyi
>
>
> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> Of Roy T. Fielding
> Sent: 14 December 2006 22:13
> To: W3C TAG
> Subject: ban the use and implementation of UTF-7
>
>
> Over the years I have seen a number of security exploits that make
> use of broken browsers that sniff character encodings in combination
> with UTF-7 encoded tags or javascript commands.  I have never actually
> seen anyone use UTF-7 for anything legitimate (other than testing).
>
> Is there some reason why WWW clients need to support UTF-7?
>
> It seems completely unnecessary given the now ubiquitous use of 8-bit
> clean transports and the presence of UTF-8, which IIRC was defined
> long after UTF-7.  However, the wider community may be aware of
> some reason why browsers should support it, so I'd like to hear
> your comments.
>
> If there is no need for UTF-7, I'd like the TAG to consider it an
> issue for the sake of asking browsers to remove its implementation
> and banning its use by servers.
>
> I know this won't solve any problems for deployed clients, and
> wouldn't be an issue at all if servers used the same algorithm for
> escaping characters that clients used to interpret them, but in the
> long term it will simplify some checks for XSS attacks and I don't
> think it will harm the Web.  That is, unless there is some significant
> body of content out there that is encoded as UTF-7.
>
> Cheers,
>
> Roy T. Fielding                            <http://roy.gbiv.com/>
> Chief Scientist, Day Software              <http://www.day.com/>
>
>
>
>
> This email was sent to you by Reuters, the global news and information
> company.
> To find out more about Reuters visit www.about.reuters.com
>
> Any views expressed in this message are those of the individual sender,
> except where the sender specifically states them to be the views of Reuters
> Ltd.
>
>
>

Received on Friday, 15 December 2006 00:39:08 UTC