You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2006-42

Mozilla Foundation Security Advisory 2006-42

Title: Web site XSS using BOM on UTF-8 pages
Impact: High
Date: June 1, 2006
Reporter: Masatoshi Kimura
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.0.2


Masatoshi Kimura reports that the Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page. As a result the parser will see and process script tags that web input sanitizers may miss because they appear as "scr[BOM]ipt" or similar in the comment code on the web site.

Although Firefox and later will be fixed and no longer accept such script tags, web sites will continue to be visited by older versions of Firefox and Mozilla browsers. Web sites can protect themselves by explicitly setting the character encoding to something other than UTF-8, or by adding the Unicode byte-order marks to the repertoire of the site's input sanitizer.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.


Users can protect themselves by disabling JavaScript on sites that allow community input until they can upgrade to a fixed version.

Sites can protect their users by stripping the BOM from web input or, if appropriate, specifying a character encoding other than UTF-8.