Bug 414064 part 1. Mark UTF-7 as being vulnerable to XSS attacks. r=VYV03354@nifty.ne.jp
authorSimon Montagu <smontagu@smontagu.org>
Mon, 28 Mar 2011 23:32:11 -0400
changeset 64124 6a21a25f2400af9914688dc58f7d98a8eb42c7e6
parent 64123 6b4617ba34b22733b4c408def87abc8857c25973
child 64125 4d103ea8178dbedacfee6d4f5ad0acbe17f8ac2a
push idunknown
push userunknown
push dateunknown
reviewersVYV03354
bugs414064
milestone2.2a1pre
Bug 414064 part 1. Mark UTF-7 as being vulnerable to XSS attacks. r=VYV03354@nifty.ne.jp
intl/uconv/src/charsetData.properties
--- a/intl/uconv/src/charsetData.properties
+++ b/intl/uconv/src/charsetData.properties
@@ -38,47 +38,61 @@
 
 ## Rule of this file:
 ## 1. key should always be in lower case ascii so we can do case insensitive
 ##    comparison in the code faster.
 
 ## Format of this file:
 ##
 ## charset_name.notForBrowser = anything  -  specifies that this charset is 
-## not to be used in the browser
+## not to be exposed in the browser charset selection UI
 ## charset_name.notForOutgoing = anything  -  specifies that this charset is 
 ## not to be used for exporting files ('SaveAsCharset' in composer)
 ##
 ## charset_name.isXSSVulnerable = anything - specifies that this charset is
 ## known to be vulnerable to XSS attacks and should not be exposed to web
 ## content
 ##
 ## charset_name.LangGroup = 
 ##
 ## charset_name.isMultibyte = multi byte charsets
 
+# notForBrowser falls into four categories:
+#
+# charsets that we need decoders for, that we don't expect ever to appear in
+# web content
+# XXX do we still need to support t.61?
 t.61-8bit.notForBrowser             = true
-x-imap4-modified-utf7.notForBrowser = true
+
+# charsets that are subsets or variants of other charsets. We implement them
+# as aliases to the superset
 windows-936.notForBrowser           = true
 us-ascii.notForBrowser                  = true
 iso-8859-6-e.notForBrowser              = true
 iso-8859-6-i.notForBrowser              = true
 ibm864i.notForBrowser                   = true
+iso-8859-8-e.notForBrowser              = true
+
+# platform charsets that don't appear in web content
 ibm869.notForBrowser                    = true
 ibm1125.notForBrowser                   = true
 ibm1131.notForBrowser                   = true
-iso-8859-8-e.notForBrowser              = true
-utf-7.notForBrowser                     = true
+
+# charset with isXSSVulnerable
 x-mac-arabic.notForBrowser              = true
 x-mac-farsi.notForBrowser               = true
 x-mac-hebrew.notForBrowser              = true
+x-imap4-modified-utf7.notForBrowser     = true
+utf-7.notForBrowser                     = true
 
 x-mac-arabic.isXSSVulnerable            = true
 x-mac-farsi.isXSSVulnerable             = true
 x-mac-hebrew.isXSSVulnerable            = true
+x-imap4-modified-utf7.isXSSVulnerable   = true
+utf-7.isXSSVulnerable                   = true
 
 t.61-8bit.notForOutgoing             = true
 utf-7.notForOutgoing                 = true
 x-imap4-modified-utf7.notForOutgoing = true
 windows-936.notForOutgoing           = true
 us-ascii.notForOutgoing                  = true
 iso-8859-6-e.notForOutgoing              = true
 iso-8859-6-i.notForOutgoing              = true