- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 22 Jan 2013 16:08:31 +0200
- To: www-international@w3.org
On Tue, Dec 18, 2012 at 7:54 PM, Richard Ishida <ishida@w3.org> wrote: > On 10/12/2012 16:16, Henri Sivonen wrote: > I've been thinking for a while of doing just what you suggest, so I used > some of your text. Thanks! Thank you. >> “since it is impossible to override manually” >> >> This is currently untrue in Firefox and Opera at least. >> > Yes. Deleted. Now true in Firefox Nightly. :-) (Still not always true across all possible browsers, so leaving this unmentioned makes sense.) On Mon, Dec 10, 2012 at 6:53 PM, John Cowan <cowan@mercury.ccil.org> wrote: > Henri Sivonen scripsit: > >> To drive this point home, maybe mention that serving user-supplied >> content as UTF-16 is an XSS risk: >> http://hsivonen.iki.fi/test/moz/never-show-user-supplied-content-as-utf-16.htm ... >> (Sure, browsers should disable the encoding menu to mitigate that >> attack, but for the time being, the attack is possible.) > > That's too drastic an action. Firefox Nightly now defends against this attack. (The menu doesn't appear disabled yet, though, when the menu has no effect. That part is still pending review.) -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Tuesday, 22 January 2013 14:08:59 UTC