Re: SVG 1.2 Comment: image/svg+xml;charset=''

<ronan@roasp.com> wrote in message 
news:39957.127.0.0.1.1101313599.squirrel@127.0.0.1...
> XSS does not pose a risk with respect to encoding tricks. Zero. None. If
> the encoding of a snippet is different, the parser will not recognize the
> wrongly encoded content and just return the litteral codes, causing the
> XSS trick to fail.

This is incorrect, please read up on your CERT advisories, Bjoern's already 
given a good example.

> After all, there is no reason why SVG content would be exempt
> from the same due dilligence that HTML content requires to prevent xss
> exploits.

It relies on the character encoding being known, this has already been 
highlighted in the thread by Robin, whereby you have the server admins 
requiring a charset parameter exactly because of  XSS problems.

Jim. 

Received on Wednesday, 24 November 2004 21:48:58 UTC