Hi forum friends,
I posted about this here: https://forum.avast.com/index.php?topic=61473.0
I wonder if NoScript is also neutralizing these?
luntrus
Finding bad characters can be an exhausting task
Finding bad characters can be an exhausting task
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010062819 Firefox/3.0.19 Flock/2.6.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Finding bad characters can be an exhausting task
Characters can be "bad", but they're hardly malicious.
And what's bad really depends on context. Some character which is "bad" in UTF-8 (a malformed sequence), can represent 2 or 3 valid characters in another charset, e.g. a latin variant.
A "0" byte is an ending sequence in UTF-8 (thus "bad" in the middle of a string), but is extremely common in UTF-16.
So unless you're a developer testing the output or the input of his program for malformed strings, or you're writing a parser/validator, there's no need to worry about "bad" characters.
For what is worth, NoScript's XSS filter is charset-aware, and therefore tries to correctly handle "bad" characters when performing its checks.
And what's bad really depends on context. Some character which is "bad" in UTF-8 (a malformed sequence), can represent 2 or 3 valid characters in another charset, e.g. a latin variant.
A "0" byte is an ending sequence in UTF-8 (thus "bad" in the middle of a string), but is extremely common in UTF-16.
So unless you're a developer testing the output or the input of his program for malformed strings, or you're writing a parser/validator, there's no need to worry about "bad" characters.
For what is worth, NoScript's XSS filter is charset-aware, and therefore tries to correctly handle "bad" characters when performing its checks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6