Re: HTML5 encodings (was: Re: BOCU patent)

From: Doug Ewell (
Date: Tue Dec 22 2009 - 22:03:36 CST

  • Next message: Doug Ewell: "Re: HTML5 encodings (was: Re: BOCU patent)"

    Chris Weber <chris at casabasecurity dot com> wrote:

    > In the world of Web-apps, most encoding-related security
    > vulnerabilities and exploits come from an attacker's ability to
    > control the charset emitted by the page. In other words, an attacker
    > injects some persistent UTF-7 encoded payload, and then manages to
    > solicit a victim to visit the page where the attacker's payload will
    > render AND the attacker can set the META or HTTP header charset to
    > utf-7. In this case, the browser isn't auto-discovering, it sees
    > UTF-7 as a valid declaration, and the Web-app is blind, just
    > delivering data.

    You're right, I was overly hasty in dismissing the security hazards of
    UTF-7. I'm waiting, however, to see how this scenario applies to SCSU
    in a way that wouldn't also apply to, say, UTF-16.

    Doug Ewell  |  Thornton, Colorado, USA  |
    RFC 5645, 4645, UTN #14  |  ietf-languages @ ­

    This archive was generated by hypermail 2.1.5 : Tue Dec 22 2009 - 22:05:57 CST