BOM inside tokens

Igor Bukanov igor at
Tue Jul 15 11:27:39 PDT 2008

2008/7/15 Mark Miller <erights at>:
> As we've found with the ES3-specified stripping of Cf characters, the main
> effect of such transparent stripping of characters is to help attackers slip
> XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and Cfs
> should be treated as whitespace rather than stripped.

But this mean that it will silently change the semantic of
+<bom-or-cf>+ from ++ into + +. From the security point of view it
would be better to treat such cases as syntax errors. A possible rule
could be to allow BOM/Cf only in strings/regexp leterals or if such
character follow/precedes non-zero-width white space character.

More information about the Es4-discuss mailing list