[whatwg] Superset encodings [Re: ISO-8859-* and the C1 control range]

Philip Taylor excors+whatwg at gmail.com
Thu Oct 22 14:45:26 PDT 2009


On Thu, Oct 22, 2009 at 9:23 PM, Øistein E. Andersen <liszt at coq.no> wrote:
> On 22 Oct 2009, at 17:15, NARUSE, Yui wrote:
>
>> Finally, Why ISO 2022 series is discouraged is not clear.
>
> We agree on this point.

The string "숍訊昱穿" encoded as ISO-2022-KR is the bytes 0e 3c 73  63 72
69 70 74 3e. A UA that doesn't support ISO-2022-KR (e.g. Chrome, when
I last checked) will decode it as Windows-1252 and get the string
"<script>", which is bad. So a site that uses ISO-2022-KR is very
likely to expose some users to XSS attacks, which seems like a good
reason to discourage that encoding. The same applies to other ISO-2022
encodings.

-- 
Philip Taylor
excors at gmail.com



More information about the whatwg mailing list