IETF Logo Mail Archive

[idn] space-like unicode char

Soobok Lee <lsb@lsb.org> Sun, 20 February 2005 05:34 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA10741 for <idn-archive@lists.ietf.org>; Sun, 20 Feb 2005 00:34:25 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1D2jdJ-000L5E-A6 for idn-data@psg.com; Sun, 20 Feb 2005 05:27:53 +0000
Received: from [211.196.150.53] (helo=postel5.postel.co.kr) by psg.com with esmtp (Exim 4.44 (FreeBSD)) id 1D2jdH-000L51-RZ for idn@ops.ietf.org; Sun, 20 Feb 2005 05:27:52 +0000
Received: from [10.1.1.21] ([211.217.233.223]) by postel5.postel.co.kr (8.13.0.PreAlpha4/8.13.0.PreAlpha4) with ESMTP id j1K5RoJR030493 for <idn@ops.ietf.org>; Sun, 20 Feb 2005 14:27:50 +0900
Message-ID: <42181FD5.3070608@lsb.org>
Date: Sun, 20 Feb 2005 14:27:49 +0900
From: Soobok Lee <lsb@lsb.org>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: idn@ops.ietf.org
Subject: [idn] space-like unicode char
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_05, RCVD_IN_NJABL_PROXY autolearn=no version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

You can paste this html/javascript codelet  to an html file in your 
webserver and see in your  MSIE brower.
You will see "www.microsoft.com" isolated in the addressbar from the 
"mozilla.org" domain suffix.
Fortunately, you will see blank space (no phishing page) if  you have 
recent IE patch.
This won't work in firefox 1.x which strips off  those special chars  
for unknow reasons before sending to
the address bar.

<script>
window.open(unescape("http://www.microsoft.com%u1160%u1160%u1160%u1160%u1160%u1160.mozilla.org/"),"_blank");
</script>
 
U+1160 is  a space-like char and even stringprep/nameprep does not 
filter it out  because
the char  is not for punctuational purpose.
U+1160 is just one example, and i guess there may be many alternatives 
that can be
used   as blank char alternatives.

U+1160 in the above example  is placed  in the 3rd level domain name label,
 over which  .org registry cannot  impose any regulations.

Soobok Lee

v2.23.0 | Report a Bug | By Email