BOM inside tokens
Mark S. Miller
erights at google.com
Tue Jul 15 11:36:03 PDT 2008
On Tue, Jul 15, 2008 at 11:27 AM, Igor Bukanov <igor at mir2.org> wrote:
> 2008/7/15 Mark Miller <erights at gmail.com>:
> > As we've found with the ES3-specified stripping of Cf characters, the
> > effect of such transparent stripping of characters is to help attackers
> > XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and
> > should be treated as whitespace rather than stripped.
Speaking only for myself, yes, I'd be even happier with the syntax error. I
have proposed such harsh treatment before but various objections were
raised. In any case, again speaking only for myself, I'm happy with any
solution that repairs the security holes created by stripping and avoids
introducing new holes.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Es4-discuss