BOM inside tokens

Mark Miller erights at
Tue Jul 15 11:07:15 PDT 2008

On Tue, Jul 15, 2008 at 11:00 AM, Igor Bukanov <igor at> wrote:

> 2008/7/15 Ash Berlin <ash_es4 at>:
> >
> > I'd say that a BOM should be treated just like any ordinary whitespace
> > char - namely that it should invalid in spaces, and beyond that why is
> > any conversion needed, since its a valid unicode character...
> The problem comes from the current ES3 implementations that strip BOM
> from the sources and web pages placing BOM in arbitrary places in JS
> sources. So the question is should ES4 at least partially be
> compatible with the current code?

As we've found with the ES3-specified stripping of Cf characters, the main
effect of such transparent stripping of characters is to help attackers slip
XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and Cfs
should be treated as whitespace rather than stripped.

Text by me above is hereby placed in the public domain

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Es4-discuss mailing list