Can you trust your web browser? Many web browsers have bugs that cause them to render some characters from different character sets incorrectly. The following pages will demonstrate these bugs by example by showing how Despite what your browser may display on the following pages, none of the linked pages are <script> tags might be inserted even if the " < " and " > " are properly filtered by the web server.
Encoding TypeVulnerable BrowsersVulnerable CharacterUnicode GraphicComments
UTF-7IE6, IE7, IE8, FireFox < 4Nothing crazy here, just normal UTF-7 encoding
X-IMAP4-MODIFIED-UTF7FireFox < 4Nothing crazy here, but a strange character set nonetheless
X-MAC-FARSIFirefox < 3.6.13[\xBC]☼☽☾Variable Width Characters are improperly decoded
X-MAC-ARABICFirefox < 3.6.13[\xBC]ټVariable Width Characters are improperly decoded
X-MAC-HEBREWFirefox < 3.6.13[\xBC]ּלVariable Width Characters are improperly decoded
Shift_JISIE6*, IE7*, Firefox, Opera[\x81]?Multi-Byte Character indicator clobbers the double-quote *IE is affected when the Japanese language packs are installed
UTF-8IE6, Opera < 11.0[\xC0]À, ﾀMulti-Byte Character indicator clobbers the double-quote
US-ASCIIIE6, IE7[\xBC]¼, ｼIncorrectly reads an 8-bit character
Tip: If you still don't "get" whats going on here, check out some of these vectors in a webkit browser like Safari or Chrome.