[Webkit-unassigned] [Bug 17689] New: Reject long UTF sequences

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 5 15:57:23 PST 2008 

http://bugs.webkit.org/show_bug.cgi?id=17689

           Summary: Reject long UTF sequences
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: PC
        OS/Version: Windows XP
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: help.improve.webkit at gmail.com
                CC: help.improve.webkit at gmail.com


Webkit issue:
UTF standards require parsers to reject sequences that were encoded using more
bytes than absolutely necessary (for example, standard 7-bit characters encoded
as 2 or 4-byte strings, e.g. &#0000106, either as a binary value or a HTML
entity).

Modify the renderer to reject such characters, as they have no legitimate use,
but are routinely abused to carry out cross-site scripting attacks (attempts to
close HTML tags and inject code, when obfuscated this way, routinely bypass
filters).


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list