- From: Deborah Goldsmith <goldsmit@apple.com>
- Date: Thu, 14 Dec 2006 19:29:28 -0800
- To: Mark Davis <mark.davis@icu-project.org>
- Cc: Misha Wolf <Misha.Wolf@reuters.com>, www-international@w3.org, ietf-charsets@iana.org, Michel Suignard <michelsu@microsoft.com>
- Message-Id: <2FA89FCA-8881-4C45-A05A-F78E9333FBFA@apple.com>
Speaking as the other author, I agree. :-) Deborah On Dec 14, 2006, at 4:39 PM, Mark Davis wrote: > Speaking as one of the authors, I think it is clear that UTF-7 > should only be supported where really necessary; only in > environments that are not 8-bit clean. It was originally designed > for email, but in this day and age, 8-bit clean email transport is > really not much of an issue. > > Mark > > On 12/14/06, Misha Wolf <Misha.Wolf@reuters.com> wrote: > > fyi > > > -----Original Message----- > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf > Of Roy T. Fielding > Sent: 14 December 2006 22:13 > To: W3C TAG > Subject: ban the use and implementation of UTF-7 > > > Over the years I have seen a number of security exploits that make > use of broken browsers that sniff character encodings in combination > with UTF-7 encoded tags or javascript commands. I have never actually > seen anyone use UTF-7 for anything legitimate (other than testing). > > Is there some reason why WWW clients need to support UTF-7? > > It seems completely unnecessary given the now ubiquitous use of 8-bit > clean transports and the presence of UTF-8, which IIRC was defined > long after UTF-7. However, the wider community may be aware of > some reason why browsers should support it, so I'd like to hear > your comments. > > If there is no need for UTF-7, I'd like the TAG to consider it an > issue for the sake of asking browsers to remove its implementation > and banning its use by servers. > > I know this won't solve any problems for deployed clients, and > wouldn't be an issue at all if servers used the same algorithm for > escaping characters that clients used to interpret them, but in the > long term it will simplify some checks for XSS attacks and I don't > think it will harm the Web. That is, unless there is some significant > body of content out there that is encoded as UTF-7. > > Cheers, > > Roy T. Fielding <http://roy.gbiv.com/> > Chief Scientist, Day Software < http://www.day.com/> > > > > > This email was sent to you by Reuters, the global news and > information company. > To find out more about Reuters visit www.about.reuters.com > > Any views expressed in this message are those of the individual > sender, except where the sender specifically states them to be the > views of Reuters Ltd. > > >
Received on Friday, 15 December 2006 07:59:04 UTC