Re: SVG 1.2 Comment: image/svg+xml;charset=""

* Chris Lilley wrote:
>Can you explain the XSS attack and charset in more detail? What is the
>attack, does a default charset actually help prevent it or is that
>mythology, how should people actually guard against such attacks.

See for example

  * http://www.cert.org/advisories/CA-2000-02.html
  * http://www.cert.org/tech_tips/malicious_code_mitigation.html

If a web site allows to insert foreign code, you might be able to inject
specific octet sequences that affect encoding detection heuristics, for
example, injecting Bj+APY-rn might cause Internet Explorer to consider
the document UTF-7 encoded; if you inject +ADw-script+AD4... you can by-
pass code that attempts to filter script elements or escape all < chars
or makes similar attempts to protect against such attacks.

Received on Wednesday, 24 November 2004 15:56:31 UTC