2008/7/15 Mark Miller <[EMAIL PROTECTED]>: > As we've found with the ES3-specified stripping of Cf characters, the main > effect of such transparent stripping of characters is to help attackers slip > XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and Cfs > should be treated as whitespace rather than stripped.
But this mean that it will silently change the semantic of +<bom-or-cf>+ from ++ into + +. From the security point of view it would be better to treat such cases as syntax errors. A possible rule could be to allow BOM/Cf only in strings/regexp leterals or if such character follow/precedes non-zero-width white space character. _______________________________________________ Es4-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es4-discuss
