On Tue, Jun 21, 2011 at 6:14 PM, Reindl Harald <h.rei...@thelounge.net>wrote:
> > > Am 21.06.2011 17:55, schrieb Tomas Kuliavas: > > > They submit it in utf-8 only if your html form allows them to do that or > > they don't follow html specification and try to exploit your form. Set > > form input charset to iso-8859-1 and your nbspace will take only one > byte. > > and this naive attitude is the root of most security problems! > > why do you believe that every client submission is coming over > your form or generally over anything you can control? > > that doesn't matter here, Tomas just corrected John, that his statement that chrome will always use utf-8 encoding for some special character isn't true. browsers will adhere the http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset of course you can't trust user input, and you have to validate it, but this has nothing to do with this topic. Tyrael
