Re: SVG 1.2 Comment: image/svg+xml;charset=''

* ronan@roasp.com wrote:
>Tricks with poorly formed content do not apply to XML, which is much
>stricter than sgml. This is really not a problem any more as the parsers
>simply reject malformed content.

Nothing stops SGML or HTML processors from treating ill-formed content
the same way as XML processors treat ill-formed content.

>XSS does not pose a risk with respect to encoding tricks. Zero. None. If
>the encoding of a snippet is different, the parser will not recognize the
>wrongly encoded content and just return the litteral codes, causing the
>XSS trick to fail.

Consider

  Content-Type: image/svg+xml;charset=utf-8

  <?xml version="1.0" encoding="utf-7"?>
  ...
  <a>+ADw-script+AD4...script code...+ADw-/script+AD4</a>
  ...

If the charset parameter is ignored you suddenly have

  ...
  <a><script>...script code...</script></a>
  ...

Regardless of whether the charset parameter is honored there is no error
in the document.

Received on Wednesday, 24 November 2004 16:54:41 UTC