- From: Jim Ley <jim@jibbering.com>
- Date: Wed, 24 Nov 2004 21:48:52 -0000
- To: www-svg@w3.org
<ronan@roasp.com> wrote in message news:39957.127.0.0.1.1101313599.squirrel@127.0.0.1... > XSS does not pose a risk with respect to encoding tricks. Zero. None. If > the encoding of a snippet is different, the parser will not recognize the > wrongly encoded content and just return the litteral codes, causing the > XSS trick to fail. This is incorrect, please read up on your CERT advisories, Bjoern's already given a good example. > After all, there is no reason why SVG content would be exempt > from the same due dilligence that HTML content requires to prevent xss > exploits. It relies on the character encoding being known, this has already been highlighted in the thread by Robin, whereby you have the server admins requiring a charset parameter exactly because of XSS problems. Jim.
Received on Wednesday, 24 November 2004 21:48:58 UTC