On Sat, Dec 02, 2006 at 11:52:47AM +0100, Florent Daigni?re (NextGen$) wrote: > * toad <toad at amphibian.dyndns.org> [2006-12-02 03:07:25]: > > > On Thu, Nov 30, 2006 at 10:13:17PM +0000, toad wrote: > > > Firefox 2.0 includes an "RSS feed sniffer". What this means is that if a > > > file looks like RSS, regardless of its content type (tests show this > > > happening with text/plain and image/jpeg, but not text/html), it will be > > > treated as RSS and either displayed (previewed?) internally or passed to > > > a third party RSS reader app, including all inline images (potentially > > > web bugs). > > > > It turns out that XML does not tolerate ANY non-tag characters before > > the first tag, and Firefox transparently falls back to the original MIME > > type if parsing the RSS fails. > > Is that the current behaviour or the one after your patch got merged > into their trunk and released ?
That's the current behaviour of not only firefox but also most other XML parsers. > > > The consequences of this: > > - If we check the headers of image/png, image/jpeg etc, we can be 100% > > sure that anything passed through will NOT be recognized as RSS. > > - That leaves text/plain. If we can be sure that a file does not start > > with "<", we can safely pass it through. If a file does start with > > "<", then we can: > > - Convert it to UTF16. We need to know what the charset is to start > > with to do this, but it should be safe for the time being (Firefox's > > RSS detection only works with US-ASCII based charsets). > > - Add an invisible space. Again we need to know the charset, which we > > often won't. But this is safer than the first option. > > - Add a visible space or newline. This will always work, and will > > always be safe, but it *modifies the content*. > > > > Which is best? > > I would vote for "add a few newlines" as we use to mangle the content anyway > and that won't prevent people from using cut&paste. We don't normally mangle plain text, that's all... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20061202/30f15773/attachment.pgp>
