Can you trust your web browser? Many web browsers have bugs that cause them to render some characters from different character sets incorrectly. The following pages will demonstrate these bugs by example by showing how Despite what your browser may display on the following pages, none of the linked pages are <script> tags might be inserted even if the " < " and " > " are properly filtered by the web server.

Encoding TypeVulnerable BrowsersVulnerable CharacterUnicode GraphicComments

UTF-7IE6, IE7, IE8, FireFox < 4Nothing crazy here, just normal UTF-7 encoding

X-IMAP4-MODIFIED-UTF7FireFox < 4Nothing crazy here, but a strange character set nonetheless

X-MAC-FARSIFirefox < 3.6.13[\xBC]☼☽☾Variable Width Characters are improperly decoded

X-MAC-ARABICFirefox < 3.6.13[\xBC]ټVariable Width Characters are improperly decoded

X-MAC-HEBREWFirefox < 3.6.13[\xBC]ּלVariable Width Characters are improperly decoded

Shift_JISIE6*, IE7*, Firefox, Opera[\x81]?Multi-Byte Character indicator clobbers the double-quote *IE is affected when the Japanese language packs are installed

UTF-8IE6, Opera < 11.0[\xC0]À, ﾀMulti-Byte Character indicator clobbers the double-quote

US-ASCIIIE6, IE7[\xBC]¼, ｼIncorrectly reads an 8-bit character

Tip: If you still don't "get" whats going on here, check out some of these vectors in a webkit browser like Safari or Chrome.