Re: The "prohibited" encodings...

From: Andrew Lipscomb (
Date: Wed Dec 30 2009 - 15:20:59 CST

  • Next message: Petr Tomasek: "Re: Filtering and displaying untrusted UTF-8"

    > On 12/29/2009 2:03 PM, Phillips, Addison wrote:
    >> No, that's not it.
    >> UTF-7, BOCU, and SCSU are banned either because they auto-detect
    >> as something other than themselves or because an otherwise
    >> "innocuous" byte sequence detects as being one of them, thus
    >> serving as the basis for an XSS attack. UTF-32 is banned
    >> apparently because naïve implementations might detect it as
    >> UTF-16.

    Except that UTF-32 *isn't* on the banned list that started this
    thread--discouraged, though, as I understand it. The fourth one
    was CESU-8 (which, granted, has only one character that can be
    encoded two ways, the NULL).

    This archive was generated by hypermail 2.1.5 : Wed Dec 30 2009 - 15:26:10 CST