[whatwg] base64 entities
bzbarsky at MIT.EDU
Thu Aug 26 15:52:21 PDT 2010
On 8/26/10 6:45 PM, Adam Barth wrote:
>> Note that this issue means that using atob or btoa for dealing with this is
>> a huge pain if non-ASCII chars are involved, since those take and return
>> byte arrays masquerading as JS strings, not actual Unicode strings.
> I'm slightly confused how that works. How do you represent arbitrary
> binary data as characters?
You mean how do atob/btoa take their binary data in JS-land? You take
your byte array, and convert it to a sequence of two-byte units by
setting the high byte to 0. This sequence of two-byte units is a JS string.
> Another option is to provide a base64
> encoder/decoder that uses UTF8 to encode/decode the binary.
Not sure what the exact proposal here is.
> Because<script> does not decode entities in HTML, the attacker will
> be limited to what he or she can do with alphanumeric characters
OK. I had misunderstood what you were proposing for <script> here. The
point is that inside <script> this base64 thing will only be useful for
setting innerHTML, right?
More information about the whatwg