Page 1 of 1
Finding bad characters can be an exhausting task
Posted: Mon Jul 05, 2010 8:52 pm
by luntrus
Hi forum friends,
I posted about this here:
https://forum.avast.com/index.php?topic=61473.0
I wonder if NoScript is also neutralizing these?
luntrus
Re: Finding bad characters can be an exhausting task
Posted: Mon Jul 05, 2010 10:44 pm
by Giorgio Maone
Characters can be "bad", but they're hardly malicious.
And what's bad really depends on context. Some character which is "bad" in UTF-8 (a malformed sequence), can represent 2 or 3 valid characters in another charset, e.g. a latin variant.
A "0" byte is an ending sequence in UTF-8 (thus "bad" in the middle of a string), but is extremely common in UTF-16.
So unless you're a developer testing the output or the input of his program for malformed strings, or you're writing a parser/validator, there's no need to worry about "bad" characters.
For what is worth, NoScript's XSS filter is charset-aware, and therefore tries to correctly handle "bad" characters when performing its checks.