[whatwg] Superset encodings [Re: ISO-8859-* and the C1 control range]
Philip Taylor
excors+whatwg at gmail.com
Thu Oct 22 14:45:26 PDT 2009
On Thu, Oct 22, 2009 at 9:23 PM, Øistein E. Andersen <liszt at coq.no> wrote:
> On 22 Oct 2009, at 17:15, NARUSE, Yui wrote:
>
>> Finally, Why ISO 2022 series is discouraged is not clear.
>
> We agree on this point.
The string "숍訊昱穿" encoded as ISO-2022-KR is the bytes 0e 3c 73 63 72
69 70 74 3e. A UA that doesn't support ISO-2022-KR (e.g. Chrome, when
I last checked) will decode it as Windows-1252 and get the string
"<script>", which is bad. So a site that uses ISO-2022-KR is very
likely to expose some users to XSS attacks, which seems like a good
reason to discourage that encoding. The same applies to other ISO-2022
encodings.
--
Philip Taylor
excors at gmail.com
More information about the whatwg
mailing list