Link to notes and test case: http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/ Don't mean to make light of the situation but I do wish I had some Danel Clowe skills to cartoon this. How often do we get to use Ogham Space Marks and Mongolian Vowel Separators to bypass filters and deliver cross-site scripting attacks? What am I talking about? Okay enough fun, read on. Opera released version 9.52 of their flagship browser about a month ago to address an issue in the way certain Unicode characters were being interpreted as white space. This behavior enabled cross-site scripting (XSS) attacks which might not otherwise be possible. Perhaps exploiting this issue would also be useful to evade HTML filters, AV's, WAFs, or other detection systems which try to prevent XSS attacks. The HTML 4.01 specification defines four whitespace characters, and explicitly does not define other cases. Note to XSS filter developers: Any character can be treated as whitespace by an HTML4 conforming User-Agent. Have I tested this already? Yes, in most HTML agents I know about. The HTML 5 specification defines five types of "whitespace characters", and explicitly nothing else. However, the HTML 5 spec is in flux which is a much bigger issue. more on this later. The Unicode spec assigns binary property meta-data to code points, one of which is the 'white_space' property. In Opera's case, we could use almost any character with a Unicode white_space property to represent a normal whitespace character like U+0020. The following code points all get treated as a space. Making things like: possible. This list includes many of the Unicode code points with the white_space property: U+2002 to U+200A U+205F U+3000 U+180E Mongolian Vowel Separator U+1680 Ogham Space Mark Regards, Chris Weber _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/