- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 07 Aug 2008 14:35:11 -0400
- To: Peter Linss <peter.linss@hp.com>
- CC: Anne van Kesteren <annevk@opera.com>, Jens Meiert <jens@meiert.com>, "www-style@w3.org" <www-style@w3.org>
Peter Linss wrote: > That frightens me. If there's a security hole from incorrectly detecting > encoding, couldn't it be exploited by explicitly declaring the wrong > encoding? The security holes come in when you have filter software that doesn't detect things the same way as the software it's trying to protect from malicious content. For example, if I'm trying to filter out certain "dangerous" parts of a stylesheet, say -moz-binding, but the thing that ends up parsing the stylesheet doesn't use the same encoding I used, it might see text that I didn't think said "-moz-binding" as saying "-moz-binding". The usual consequences of failures of this sort are various content/script/etc injection vulnerabilities. -Boris
Received on Thursday, 7 August 2008 18:36:16 UTC