On July 18, 2005 at 11:14, Jim Fenton wrote:
As for the removal of internal white space in the nowsp canonicalization,
if whitespace is something that can't be exploited by an attacker, why not
remove it? The only exploit I'm aware of is the somewhat ridiculous "ASCII
art" attack where an existing message is respaced to spell out something
else in big letters.
We cannot assume that all text media-types treat whitespace the
same. A good example is text/tab-separated-values.
Just have a look at
the myriad of text media types, and who knows what the future
I'm also not sure about how such types like HTML can be affected.
With all the HTML-based attack vectors that currently exist, this
could potentially provide another one, even though we cannot
think of an actual exploit, I do not underestimate blackhatters
from discovering something.