ISSUE-376: [survey needed] create a replacement encoding

[survey needed] create a replacement encoding

Raised by:
Addison Phillips
Opened on:

This issue tracks the bug listed above and was created as part of the WG LC process. The bug was created prior to the WG LC.


Problem statement:

1) The Encoding Standard removes the ISO-2022-CN encoding. This will make sites that rely on that encoding being supported vulnerable to XSS the way Yahoo search was vulnerable in Chrome when Chrome removed ISO-2022-KR. See

2) There exist ASCII-incompatible encodings in the world outside the Encoding Standard and support for those encodings might be exposed if server-side libraries. Sites that are naïve enough to allow the user to specify the output encoding that the site uses and this past the user-supplied encoding name to server-side library without white listing ASCII-compatible encodings are vulnerable to EBCDIC attacks: An attacker can request that the site use an EBCDIC-based encoding and the site responds with EBCDIC which isn't recognized by non-IE browsers and browsers fall back on an ASCII-compatible encoding resulting in the EBCDIC bytes being interpreted in a dangerous way. See for a reference to an actual search engine that was vulnerable to this attack.

Proposed solution:
Define a replacement encoding that decodes all possible byte values to the REPLACEMENT CHARACTER. Make the known labels for ASCII-incompatible encodings that exist but aren't part of the Encoding Standard aliases for the replacement encoding.

Additional info:
This solution would pave the way for safe removal of ISO-2022-KR and hz-gb-2312 from the set of encodings supported by the Encoding Standard.
Related Actions Items:
No related actions
Related emails:
  1. I18N-ISSUE-376 (BUG21057): [survey needed] create a replacement encoding [encoding] (from on 2014-07-10)

Related notes:

These issues are now tracked at

Richard Ishida, 16 Sep 2015, 12:03:38

Display change log ATOM feed

Addison Phillips <>, Chair, Richard Ishida <>, Bert Bos <>, Fuqiao Xue <>, Atsushi Shimono <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 376.html,v 1.1 2023/07/19 12:02:03 carcone Exp $