RE: Encoding Standard (was: RE: Encoding API exceptions) from Phillips, Addison on 2014-11-10 (www-international@w3.org from October to December 2014)

From: Phillips, Addison <addison@lab126.com>
Date: Mon, 10 Nov 2014 19:31:07 +0000
To: Anne van Kesteren <annevk@annevk.nl>, Shawn Steele <Shawn.Steele@microsoft.com>
CC: "www-international@w3.org" <www-international@w3.org>
Message-ID: <7C0AF84C6D560544A17DDDEB68A9DFB52EA20738@ex10-mbx-9007.ant.amazon.com>

> E.g. if you can control a field of some JSON
> through a URL you could load the JSON through a <script> and get some of
> the user's data out by executing a function of sorts due to JSON being
> decoded in a different way from how the server expected it to.
> 

I know this is nit-picking but I was under the impression that the *only* encodings supported for JSON were UTF-8, UTF-16, and UTF-32 (with UTF-8 as the default)? 

This issue could, of course, still occur for a JSON-like script file in a legacy encoding or for JS data inside a legacy-encoded HTML file that is loaded through a <script>. But that's not JSON, per-se, is it? 

Addison

Received on Monday, 10 November 2014 19:32:29 UTC