- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 24 Nov 2004 16:56:00 +0100
- To: Chris Lilley <chris@w3.org>
- Cc: www-svg@w3.org
* Chris Lilley wrote: >Can you explain the XSS attack and charset in more detail? What is the >attack, does a default charset actually help prevent it or is that >mythology, how should people actually guard against such attacks. See for example * http://www.cert.org/advisories/CA-2000-02.html * http://www.cert.org/tech_tips/malicious_code_mitigation.html If a web site allows to insert foreign code, you might be able to inject specific octet sequences that affect encoding detection heuristics, for example, injecting Bj+APY-rn might cause Internet Explorer to consider the document UTF-7 encoded; if you inject +ADw-script+AD4... you can by- pass code that attempts to filter script elements or escape all < chars or makes similar attempts to protect against such attacks.
Received on Wednesday, 24 November 2004 15:56:31 UTC