FW: FW: ban the use and implementation of UTF-7 from Misha Wolf on 2006-12-15 (www-tag@w3.org from December 2006)

From: Misha Wolf <Misha.Wolf@reuters.com>
Date: Fri, 15 Dec 2006 07:22:28 +0000
To: www-tag@w3.org
Message-id: <A29ADE959C70A1449470AA9A212F5D8003D80851@LONSMSXM06.emea.ime.reuters.com>

fyi

________________________________

From: mark.edward.davis@gmail.com [mailto:mark.edward.davis@gmail.com]
On Behalf Of Mark Davis
Sent: 15 December 2006 00:39
To: Misha Wolf
Cc: www-international@w3.org; ietf-charsets@iana.org; Deborah Goldsmith;
Michel Suignard
Subject: Re: FW: ban the use and implementation of UTF-7


Speaking as one of the authors, I think it is clear that UTF-7 should
only be supported where really necessary; only in environments that are
not 8-bit clean. It was originally designed for email, but in this day
and age, 8-bit clean email transport is really not much of an issue. 

Mark


On 12/14/06, Misha Wolf <Misha.Wolf@reuters.com> wrote: 


	fyi
	
	
	-----Original Message-----
	From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On
Behalf
	Of Roy T. Fielding 
	Sent: 14 December 2006 22:13
	To: W3C TAG
	Subject: ban the use and implementation of UTF-7
	
	
	Over the years I have seen a number of security exploits that
make
	use of broken browsers that sniff character encodings in
combination 
	with UTF-7 encoded tags or javascript commands.  I have never
actually
	seen anyone use UTF-7 for anything legitimate (other than
testing).
	
	Is there some reason why WWW clients need to support UTF-7?
	
	It seems completely unnecessary given the now ubiquitous use of
8-bit 
	clean transports and the presence of UTF-8, which IIRC was
defined
	long after UTF-7.  However, the wider community may be aware of
	some reason why browsers should support it, so I'd like to hear
	your comments. 
	
	If there is no need for UTF-7, I'd like the TAG to consider it
an
	issue for the sake of asking browsers to remove its
implementation
	and banning its use by servers.
	
	I know this won't solve any problems for deployed clients, and 
	wouldn't be an issue at all if servers used the same algorithm
for
	escaping characters that clients used to interpret them, but in
the
	long term it will simplify some checks for XSS attacks and I
don't
	think it will harm the Web.  That is, unless there is some
significant 
	body of content out there that is encoded as UTF-7.
	
	Cheers,
	
	Roy T. Fielding
<http://roy.gbiv.com/>
	Chief Scientist, Day Software              <
http://www.day.com/>
	
	
	
	
	This email was sent to you by Reuters, the global news and
information company.
	To find out more about Reuters visit www.about.reuters.com
	
	Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be the views
of Reuters Ltd.
	
	
	




This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

Received on Friday, 15 December 2006 07:22:50 UTC