[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: ban the use and implementation of UTF-7

To: www-international@w3.org
Subject: Re: FW: ban the use and implementation of UTF-7
From: Addison Phillips <addison@yahoo-inc.com>
Date: Tue, 19 Dec 2006 10:51:10 -0800
Cc: ietf-charsets@iana.org
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns;h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;b=qQXYWLVYUCEwKj6jHA3fS8v2AdjCmotz9z3vV4sSQMUjV1rR3IuXL5+Hl+u5qOqB
In-reply-to: <45882FEA.5050604@hackcraft.net>
List-Id: <ietf-charsets.mail.apps.ietf.org>
List-Owner: <mailto:ietf-charsets-owner@mail.apps.ietf.org>
List-Subscribe: <mailto:mailserv@mail.apps.ietf.org?subject=subscribe%20ietf-charsets>
List-Unsubscribe: <mailto:mailserv@mail.apps.ietf.org?subject=unsubscribe%20ietf-charsets>
Message-hash: 842FA2B45615F77D66B738937C2317E8
Original-recipient: rfc822;ned+ietf-charsets@mrochek.com
References: <A29ADE959C70A1449470AA9A212F5D8003D8082D@LONSMSXM06.emea.ime.reuters.com><45882FEA.5050604@hackcraft.net>
Spam-test: False ; 0.0 / 4.5
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)

 >> It seems completely unnecessary given the now ubiquitous use of 8-bit
 >> clean transports and the presence of UTF-8, which IIRC was defined
 >> long after UTF-7.  However, the wider community may be aware of
 >> some reason why browsers should support it, so I'd like to hear
 >> your comments.

The problem, as I see it, is not that the browsers support conversion 
using UTF-7. It is that they auto-detect UTF-7. Since UTF-7 uses plain 
ASCII characters to form escape sequences, it turns out to be trivial to 
fool a browser into detecting UTF-7, causing an XSS security hole.

Some of us have spent more than ample time building anti-UTF-7 code 
(such as judiciously replacing '+' in UTF-7 spoof sequences with 
'&#43;'). It is nutty.

I agree with the basic premise of Roy's that UTF-7 ought to be banned. 
But it would be simpler to remove it from the list of things 
auto-detected by user agents. A page that actually uses UTF-7 really 
REALLY ought to declare that encoding (in which case no security flaw is 
present). Otherwise it should display as mojibake.

Addison

-- 
Addison Phillips
Globalization Architect -- Yahoo! Inc.

Internationalization is an architecture.
It is not a feature.

Follow-Ups:
- Re: FW: ban the use and implementation of UTF-7
  - From: Markus Scherer <markus.icu@gmail.com>

References:
- FW: ban the use and implementation of UTF-7
  - From: Misha Wolf <Misha.Wolf@reuters.com>
- Re: FW: ban the use and implementation of UTF-7
  - From: Jon Hanna <jon@hackcraft.net>

Prev by Date: Re: FW: ban the use and implementation of UTF-7
Next by Date: Re: FW: ban the use and implementation of UTF-7
Prev by thread: Re: FW: ban the use and implementation of UTF-7
Next by thread: Re: FW: ban the use and implementation of UTF-7
Index(es):
- Date
- Thread