From: Peter Krefting (firstname.lastname@example.org)
Date: Tue Dec 22 2009 - 01:18:02 CST
Doug Ewell <email@example.com>:
> SCSU is completely ASCII-based, as long as the text is in single-byte
> mode, which would be the case for the entire HTML header, and usually
> the entire text when encoding small alphabets.
True, but IIRC you can also encode the ASCII characters using other
methods, and still have parts in ASCII, meaning that you could put some
SCSU inside an ASCII document and have the whole document as valid SCSU.
This could be a security risk if the container document did not declare
its encoding (think comments to a blog post here).
> The security issue is largely a red herring. Security of HTML encodings
> is related to incorrect auto-discovery of encodings, not to using
> encodings that have been properly announced.
Yes, of course. And if every document on the web would declare its
encoding properly, this would not be a problem. But the real world doesn't
work that way... :-)
> Henri Sivonen stated that the main reason for prohibiting encodings was
> to avoid "wasting developer time" and focusing attention on support of
> new features instead. Apparently he didn't feel developers were capable
> of both.
Well, here at Opera we had to disable support for two encodings (UTF-7 and
UTF-32) to become HTML5 conformant, if that isn't a waste of developer
time, I don't know what is :-)
-- \\// Peter Krefting - speaking his own mind, not that of anyone else
This archive was generated by hypermail 2.1.5 : Tue Dec 22 2009 - 01:22:25 CST