[web-devel] XSS vs charset

Michael Snoyman michael at snoyman.com
Wed Apr 2 06:13:18 UTC 2014 

Forgot to CC the list.


On Wed, Apr 2, 2014 at 8:51 AM, Michael Snoyman <michael at snoyman.com> wrote:

> I'm not sure if Mighty is really vulnerable to this attack. IIUC, you're
> worried about a static file receiving some compromised data from a user
> which includes a UTF-7 sequence. However, Mighty is only serving static
> data files (as opposed to generating HTML from a database query or
> something), so if a user is able to compromise those already, it sounds
> like *nothing* you can do would prevent an attack.
>
> I suppose theoretically you could be talking about a situation where
> Mighty is hosting a CGI application that receives user data and produces a
> static HTML file as a result. In that case, you would be open to an attack.
> But it could be worked around by the CGI application using <meta
> charset=...> instead.
>
> Putting aside the question of this specific attack for the moment, what
> would be the advantages and disadvantages of forcing charset=utf-8?
>
> * Advantage: if the data is actually UTF-8, the browser will always treat
> it as such. Without such a specification, a browser is free to guess at
> some other character encoding.
> * Disadvantage: if the data isn't actually UTF-8, then the browser will
> have no ability to try to guess the correct encoding instead.
>
> So that comes to the question: is it safe for Mighty, mime-types, etc, to
> require that all HTML files are stored as UTF-8? I'd say, as long as
> there's a way for a user to override that if necessary, it sounds good to
> me. mime-types does provide such a capability, so I'd be in favor of
> tweaking its textual types to include explicit charset information.
>
>
> On Wed, Apr 2, 2014 at 8:02 AM, Kazu Yamamoto <kazu at iij.ad.jp> wrote:
>
>> Hi all,
>>
>> I heard that if an HTTP server does not specify charset for text/html
>> in HTTP responses, XSS would be possible:
>>
>>         http://openmya.hacker.jp/hasegawa/security/utf7cs.html
>>
>> I would like to change Mighty to specify charset=UTF-8. Before that, I
>> would like to discuss some items on this ML.
>>
>> - Can we assume that recent contents are written in UTF-8?
>>   For Japanese community, the answer is probably YES.
>> - Which components should spcify charset=UTF-8?
>>   The mime-types package?
>>
>> --Kazu
>> _______________________________________________
>> web-devel mailing list
>> web-devel at haskell.org
>> http://www.haskell.org/mailman/listinfo/web-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/web-devel/attachments/20140402/f47b7af8/attachment.html>

More information about the web-devel mailing list