- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 24 Nov 2004 17:54:09 +0100
- To: ronan@roasp.com
- Cc: www-svg@w3.org
* ronan@roasp.com wrote: >Tricks with poorly formed content do not apply to XML, which is much >stricter than sgml. This is really not a problem any more as the parsers >simply reject malformed content. Nothing stops SGML or HTML processors from treating ill-formed content the same way as XML processors treat ill-formed content. >XSS does not pose a risk with respect to encoding tricks. Zero. None. If >the encoding of a snippet is different, the parser will not recognize the >wrongly encoded content and just return the litteral codes, causing the >XSS trick to fail. Consider Content-Type: image/svg+xml;charset=utf-8 <?xml version="1.0" encoding="utf-7"?> ... <a>+ADw-script+AD4...script code...+ADw-/script+AD4</a> ... If the charset parameter is ignored you suddenly have ... <a><script>...script code...</script></a> ... Regardless of whether the charset parameter is honored there is no error in the document.
Received on Wednesday, 24 November 2004 16:54:41 UTC