ISSUE-376: [survey needed] create a replacement encoding
[survey needed] create a replacement encoding
- State:
- CLOSED
- Product:
- encoding
- Raised by:
- Addison Phillips
- Opened on:
- 2014-07-10
- Description:
- https://www.w3.org/Bugs/Public/show_bug.cgi?id=21057
This issue tracks the bug listed above and was created as part of the WG LC process. The bug was created prior to the WG LC.
---
Problem statement:
1) The Encoding Standard removes the ISO-2022-CN encoding. This will make sites that rely on that encoding being supported vulnerable to XSS the way Yahoo search was vulnerable in Chrome when Chrome removed ISO-2022-KR. See https://code.google.com/p/chromium/issues/detail?id=15701
2) There exist ASCII-incompatible encodings in the world outside the Encoding Standard and support for those encodings might be exposed if server-side libraries. Sites that are naïve enough to allow the user to specify the output encoding that the site uses and this past the user-supplied encoding name to server-side library without white listing ASCII-compatible encodings are vulnerable to EBCDIC attacks: An attacker can request that the site use an EBCDIC-based encoding and the site responds with EBCDIC which isn't recognized by non-IE browsers and browsers fall back on an ASCII-compatible encoding resulting in the EBCDIC bytes being interpreted in a dangerous way. See http://zaynar.co.uk/docs/charset-encoding-xss.html for a reference to an actual search engine that was vulnerable to this attack.
Proposed solution:
Define a replacement encoding that decodes all possible byte values to the REPLACEMENT CHARACTER. Make the known labels for ASCII-incompatible encodings that exist but aren't part of the Encoding Standard aliases for the replacement encoding.
Additional info:
This solution would pave the way for safe removal of ISO-2022-KR and hz-gb-2312 from the set of encodings supported by the Encoding Standard. - Related Actions Items:
- No related actions
- Related emails:
- I18N-ISSUE-376 (BUG21057): [survey needed] create a replacement encoding [encoding] (from sysbot+tracker@w3.org on 2014-07-10)
Related notes:
These issues are now tracked at http://www.w3.org/International/docs/encoding/encoding-cr-doc
Richard Ishida, 16 Sep 2015, 12:03:38
Display change log