W3C home > Mailing lists > Public > www-style@w3.org > October 2012

Re: [css3-syntax] Null bytes and U+0000

From: Henri Sivonen <hsivonen@iki.fi>
Date: Tue, 23 Oct 2012 10:25:11 +0300
Message-ID: <CAJQvAucC+1BCcwVfTrH0Kpig30C_T+3mq6qCsSOc5NAx2ifOfg@mail.gmail.com>
To: www-style@w3.org
On Tue, Oct 23, 2012 at 6:02 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> 2. Nobody does anything *useful* with nulls, so getting rid of them in
>> the input string is almost certainly just fine.
> Modulo issues like https://bugzilla.mozilla.org/show_bug.cgi?id=228856 cited
> in the above code comment.

On the HTML side, we carefully stopped simply dropping U+0000 in
places where it could lead to fooling naïve sanitizers. (Though it’s
unclear if Tab meant dropping when saying “getting rid of”.)

>> 1. Go ahead and replace nulls in the input stream with U+FFFD.

In terms of helping naïve sanitizers be effective, replacing with
U+FFFD is *much* better than just dropping U+0000.

The main benefit of dropping U+0000 is recovering from unlabeled
UTF-16, but if some popular browsers already truncate the stylesheet
on U+0000, recovering from UTF-16 is a non-issue already. (Hooray.)

Henri Sivonen
Received on Tuesday, 23 October 2012 07:25:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:22 UTC