Re: ban the use and implementation of UTF-7

* Roy T. Fielding wrote:
>Over the years I have seen a number of security exploits that make
>use of broken browsers that sniff character encodings in combination
>with UTF-7 encoded tags or javascript commands.  I have never actually
>seen anyone use UTF-7 for anything legitimate (other than testing).

>I know this won't solve any problems for deployed clients, and
>wouldn't be an issue at all if servers used the same algorithm for
>escaping characters that clients used to interpret them, but in the
>long term it will simplify some checks for XSS attacks and I don't
>think it will harm the Web.

That's a rather confused way of presenting this issue. It has nothing to
do with any kind of escaping algorithms or cross-site scripting checks.
"Servers" that do not declare the character encoding of the content they
serve, or that fail to ensure that the content matches the encoding they
do declare, are inherently vulnerable to attacks. All these servers have
to do to prevent these UTF-7 based attacks is to declare the encoding in
the HTTP header or using some equivalent mechanism. The "servers" are
broken if they don't, not the browsers. Besides, none of the mainstream
browsers auto-detect UTF-7 in their latest versions, so there is hardly
any issue here.
Björn Höhrmann · ·
Weinh. Str. 22 · Telefon: +49(0)621/4309674 ·
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · 

Received on Friday, 15 December 2006 12:33:15 UTC