- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 23 Oct 2012 10:25:11 +0300
- To: www-style@w3.org
On Tue, Oct 23, 2012 at 6:02 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >> 2. Nobody does anything *useful* with nulls, so getting rid of them in >> the input string is almost certainly just fine. > > Modulo issues like https://bugzilla.mozilla.org/show_bug.cgi?id=228856 cited > in the above code comment. On the HTML side, we carefully stopped simply dropping U+0000 in places where it could lead to fooling naïve sanitizers. (Though it’s unclear if Tab meant dropping when saying “getting rid of”.) >> 1. Go ahead and replace nulls in the input stream with U+FFFD. In terms of helping naïve sanitizers be effective, replacing with U+FFFD is *much* better than just dropping U+0000. The main benefit of dropping U+0000 is recovering from unlabeled UTF-16, but if some popular browsers already truncate the stylesheet on U+0000, recovering from UTF-16 is a non-issue already. (Hooray.) -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Tuesday, 23 October 2012 07:25:40 UTC