[WEB SECURITY] UTF7 a requirement?
robert at webappsec.org
robert at webappsec.org
Mon Mar 24 17:50:42 EDT 2008
Hello List,
We've seen UTF7 based xss (example google http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild
and I'm wondering is there ever a situation where UTF7 is required for a website to work? Are there certain charsets/languages
that will not render/function properly unless UTF7 is used (I'm thinking no)?
It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any
encoding ninja's care to comment?
Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list