On Tue, Jul 15, 2008 at 11:27 AM, Igor Bukanov <[EMAIL PROTECTED]> wrote:
> 2008/7/15 Mark Miller <[EMAIL PROTECTED]>: > > As we've found with the ES3-specified stripping of Cf characters, the > main > > effect of such transparent stripping of characters is to help attackers > slip > > XSS attacks past defensive filters. ES3.1 agrees with ES4 that BOMs and > Cfs > > should be treated as whitespace rather than stripped. > Speaking only for myself, yes, I'd be even happier with the syntax error. I have proposed such harsh treatment before but various objections were raised. In any case, again speaking only for myself, I'm happy with any solution that repairs the security holes created by stripping and avoids introducing new holes. -- Cheers, --MarkM
_______________________________________________ Es4-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es4-discuss
