Re: SVG 1.2 Comment: image/svg+xml;charset='' from Jim Ley on 2004-11-24 (www-svg@w3.org from November 2004)

From: Jim Ley <jim@jibbering.com>
Date: Wed, 24 Nov 2004 21:48:52 -0000
To: www-svg@w3.org
Message-ID: <co2vk4$av8$1@sea.gmane.org>

<ronan@roasp.com> wrote in message 
news:39957.127.0.0.1.1101313599.squirrel@127.0.0.1...
> XSS does not pose a risk with respect to encoding tricks. Zero. None. If
> the encoding of a snippet is different, the parser will not recognize the
> wrongly encoded content and just return the litteral codes, causing the
> XSS trick to fail.

This is incorrect, please read up on your CERT advisories, Bjoern's already 
given a good example.

> After all, there is no reason why SVG content would be exempt
> from the same due dilligence that HTML content requires to prevent xss
> exploits.

It relies on the character encoding being known, this has already been 
highlighted in the thread by Robin, whereby you have the server admins 
requiring a charset parameter exactly because of  XSS problems.

Jim.

Received on Wednesday, 24 November 2004 21:48:58 UTC