On Fri, Nov 22, 2002 at 11:03:07PM +0100, Michael Schierl wrote: > Hi, > > Seems that I found a rather big "hole" in fproxy's anonymity filter: > > > when you insert a file encoded in UTF16 with a proper byteorder mark at > the beginning (i.e. FFFE or FEFF), it is understood by most of the > browsers. Blergh. I knew there was some problem with internationalization and the anon filter :). Can we just block it and force people to use UTF8? > > (btw it is the only way I know of using national chars that don't have a > textual entity in HTML files on Freenet at all, as charset=UTF8 meta > tags are blocked by the anonymity filter. Allowing those would be > better, I think.) Are they? The safest thing is certainly to block anything we don't understand. Nobody here seems to understand I18N. Isn't there some way of using UTF8 alternate encodings to get a < without typing a < ? > > Despite that, fproxy's anonymity filter lets it go through without > finding anything in it - e. g. images loaded from the web will pass > without warning. > > I inserted two sample files at > > SSK at eUBIUpjnEDHs3oUm4SlPEtQdrH0PAgM/ascii.html > SSK at eUBIUpjnEDHs3oUm4SlPEtQdrH0PAgM/unicode.html > > Both the same "source" text, but the first one in ASCII (causes a fproxy > warning) and the second one in UTF-16 (does not cause one). > > Michael >
-- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021122/d69c4c42/attachment.pgp>
