ср, 13 февр. 2019 г. в 17:57, Christopher Schultz <ch...@christopherschultz.net>: > > I just wanted to confirm that UTF-7 is not a typo on this page: > > http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#System_Prope > rties > > Under the system property ENFORCE_ENCODING_IN_GET_WRITER. > > I'm almost certain that it's *not* a typo because UTF-7 can be > misinterpreted as ISO-8859-1 by a particularly stupid client, but > wanted to be sure just in case. > > The UTF-7 character encoding is such a rare thing that I think many > readers might think that UTF-7 is a typo and UTF-8 might be the > intended encoding. > > Since that's not the case, I'd like to add a little note that we > really mean UTF-7 and not UTF-8 in this context. >
Yes, UTF-7. The question is not whether it is really used. The question is whether a browser is able to interpret some random garbage as UTF-7. I think none of current browsers are able to use it, as removal of support for UTF-7 as well as some other encodings is a requirement in HTML5 specification. Wikipedia mentions that old IE was vulnerable. In Firefox support for it was removed in Firefox 5. (Discussion in 414064 cites HTML 5 document and mentions some places where UTF7 was used at that time, in year 2010). https://en.wikipedia.org/wiki/UTF-7 https://bugzilla.mozilla.org/show_bug.cgi?id=414064 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
