This is one of the weirder vectors I’ve come across in a while, but since I’ve been the one touting the virtues of ISO-8895-1 for the last several months since we found all the issues in UTF-8 and US-ASCII I thought I should be fair and report another issue I came across. I was toying with the old UTF-16 vector today and randomly started iterating through other encoding methods in Firefox, when I came across another issue.
Internet Explorer has always allowed nulls anywhere you want in the code and it is gracefully ignored. Firefox, however, in all other cases other than UTF-16 (and who uses that anyway) breaks if you try to change the vector by adding nulls. So it appears that ISO-8895-1 was safe for Firefox from null injection. Until today that is. The code for this is very simple:
Interesting… I’m not sure how useful it is, since it appears to be highly touchy in the amount of characters precede it and what exactly precedes it, but nevertheless I thought I should be full disclosure since I was the one who was touting it as more secure than UTF-8.