BOM inside tokens
Mark Miller
erights at gmail.com
Tue Jul 15 11:07:15 PDT 2008
On Tue, Jul 15, 2008 at 11:00 AM, Igor Bukanov <igor at mir2.org> wrote:
> 2008/7/15 Ash Berlin <ash_es4 at firemirror.com>:
> >
> > I'd say that a BOM should be treated just like any ordinary whitespace
> > char - namely that it should invalid in spaces, and beyond that why is
> > any conversion needed, since its a valid unicode character...
>
> The problem comes from the current ES3 implementations that strip BOM
> from the sources and web pages placing BOM in arbitrary places in JS
> sources. So the question is should ES4 at least partially be
> compatible with the current code?
>
As we've found with the ES3-specified stripping of Cf characters, the main
effect of such transparent stripping of characters is to help attackers slip
XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and Cfs
should be treated as whitespace rather than stripped.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.mozilla.org/pipermail/es-discuss/attachments/20080715/a8c2fc00/attachment-0002.html
More information about the Es4-discuss
mailing list