[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Registering a charset alias
When the user sets the Auto-Select encoding option in MSIE, it guesses
the wrong encoding when the attacker inserts a carefully constructed
UTF-16 string that is a piece of HTML and/or Javascript when
interpreted as ASCII.
Google Web Search has stopped serving UTF-16.
Erik
On Fri, Aug 14, 2009 at 2:08 PM, Shawn Steele<Shawn.Steele@microsoft.com> wrote:
> Hijacking the thread: I'm curious about security issues with UTF16? Private reply OK.
>
> -Shawn
>
> -----Original Message-----
> From: Erik van der Poel [mailto:erikv@google.com]
> Sent: Friday, August 14, 2009 14:06
> To: Shawn Steele
> Cc: Ira McDonald; Anne van Kesteren; ietf-charsets@iana.org
> Subject: Re: Registering a charset alias
>
> Agreed, except for encouraging UTF-16, which has caused various
> problems, including security issues.
>
> Erik
>
> On Fri, Aug 14, 2009 at 2:02 PM, Shawn Steele<Shawn.Steele@microsoft.com> wrote:
>> I would still hope that newer HTMLs really encourages UTF8 or UTF16 and mention the others should be used only if really necessary.
>>
>> And it might help to explain why some charsets don't work perfectly between systems (like iso8859-1/windows-1252 or others).
>>
>> -Shawn
>>
>> -----Original Message-----
>> From: Erik van der Poel [mailto:erikv@google.com]
>> Sent: Thursday, August 13, 2009 18:57
>> To: Ira McDonald
>> Cc: Anne van Kesteren; ietf-charsets@iana.org
>> Subject: Re: Registering a charset alias
>>
>> On Thu, Aug 13, 2009 at 4:14 PM, Ira McDonald<blueroofmusic@gmail.com> wrote:
>>> Does HTML5 *really* make such an unwise suggestion about
>>> treating US-ASCII and ISO-8859-1 as Windows-1252?
>>
>> If HTML were a brand new spec, I would agree, but since HTML has been
>> around for a long time and all the major implementations use the
>> supersets mentioned earlier, it would actually be unwise to refrain
>> from documenting it.
>>
>> Erik
>>
>>
>
>