BOM inside tokens

Mark S. Miller erights at
Tue Jul 15 11:36:03 PDT 2008

On Tue, Jul 15, 2008 at 11:27 AM, Igor Bukanov <igor at> wrote:

> 2008/7/15 Mark Miller <erights at>:
> > As we've found with the ES3-specified stripping of Cf characters, the
> main
> > effect of such transparent stripping of characters is to help attackers
> slip
> > XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and
> Cfs
> > should be treated as whitespace rather than stripped.

Speaking only for myself, yes, I'd be even happier with the syntax error. I
have proposed such harsh treatment before but various objections were
raised. In any case, again speaking only for myself, I'm happy with any
solution that repairs the security holes created by stripping and avoids
introducing new holes.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Es4-discuss mailing list