Re: [tlug] Do you whitelist or blacklist utf-8?

["Stephen J. Turnbull" <stephen@example.com>]

Richard Frankum writes:

 > On Thu, Feb 24, 2011 at 11:02 AM, Stephen J. Turnbull
 > <stephen@example.com> wrote:
 > > Josh Glover writes:
 > 
 > > What you mean is to blacklist possibly syntactic characters and only
 > > take characters off if you really need them.  In particular, blacklist
 > > everything in ASCII except for the alphanumeric characters and maybe
 > > the space.  But non-ASCII characters don't matter most of the time.
 > 
 > Isn't there a vulnerability involving automatic full-width to
 > half-width conversion?

Er, automatic conversions *after* the filter are right out.  If you
don't have full control of every bit in the output, you are probably
vulnerable to XSS.

Or do you mean that browsers convert?  If browsers are doing that kind
of thing, I guess you have to be paranoid, but that's a losing game.
You can't hope to keep up with browser breakage.

 > Or would I be paranoid to think that zenkaku
 > punctuation should be blacklisted as well?

Well, there's potential vulnerability any time you allow any input.
That's why there are no commercial systems better than Orange Book
level 3.