Re: [mod-security-users] Odd encoding of <script>
Brought to you by:
victorhora,
zimmerletw
From: MARTIN, J. (ATTSI) <JM...@at...> - 2010-07-20 21:52:24
|
I'm sorry, I should have included the browser detail. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 on XP SP3 and IE7 SP3. The http headers include "Content-Type: text/html; charset=iso-8859-1" with a meta header of <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>. I'm not sure of the impact of the conflicting content-types. Any suggestions on how to most effectively filter this? Thank you, -Jason Martin -----Original Message----- From: Brian Rectanus [mailto:Bri...@br...] Sent: Tuesday, July 20, 2010 12:48 PM To: MARTIN, JASON (ATTSI) Cc: mod...@li... Subject: Re: [mod-security-users] Odd encoding of <script> On 07/20/2010 09:59 AM, MARTIN, JASON (ATTSI) wrote: > Hello, I am seeing that %EF%BC%A2%EA%A8%BE%EF%BC%BCscript%EA%A8%BE is > somehow translated to <script> when decoded by a browser. The > characters all map to high-ascii, but I don't see how the browser would > interpret that as a valid <script> tag yet it does. Has anyone seen > that before? > > Thank you, > -Jason Martin This looks like UTF-8, not ascii. There are 3 characters before "script" and one after. 0xEFBCA2 = U+FF22: FULLWIDTH LATIN CAPITAL LETTER B (ascii B) 0xEAA8BE = U+AA3E: UNKNOWN CHARACTER 0xEFBCBC = U+FF3C: FULLWIDTH REVERSE SOLIDUS (ascii \) script = ASCII String 0xEAA8BE = U+AA3E: UNKNOWN CHARACTER Not sure how that is interpreted by the browser as you did not say which one on which platform :) -- Brian Rectanus www.trustwave.com |