- From: John Cowan <cowan@mercury.ccil.org>
- Date: Mon, 10 Dec 2012 11:53:43 -0500
- To: Henri Sivonen <hsivonen@iki.fi>
- Cc: www-international@w3.org
Henri Sivonen scripsit:
> To drive this point home, maybe mention that serving user-supplied
> content as UTF-16 is an XSS risk:
> http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm
Chrome 24.0.1312.35 beta-m on Windows does not show mojibake, doesn't let
me change the encoding, and if XSS is happening, I'm not seeing anything.
Google Translate renders the text as "Po fill up Yan 㹴 indignant King
tinkling of gems ∨ radiolabeling ≓ 㬩 centering Yuewei Rose ~".
On the other hand, <http://www.r6rs.org/final/html/r6rs/r6rs-Z-H-2.html>,
which has no header or <meta> encoding, renders in Chrome as UTF-16LE
and generates Chinese mojibake. It looks fine in Firefox 17.0.1 and IE7.
So the fact that Chrome won't let me change the encoding makes that page,
and in fact other table-of-contents pages generated by pagetex (a LaTeX
to HTML converter), unusable in that browser.
> (Sure, browsers should disable the encoding menu to mitigate that
> attack, but for the time being, the attack is possible.)
That's too drastic an action.
--
Si hoc legere scis, nimium eruditionis habes.
Received on Monday, 10 December 2012 16:54:11 UTC