Once bug 935453 has been out on the release channel for six weeks, we should evaluate the results and see if we can get away with mapping HZ to the replacement encoding. (HZ is the most XSS-exploitable one of the encodings we support.)

The results are in (http://telemetry.mozilla.org/#release/28/DECODER_INSTANTIATED_HZ/saved_session/Firefox), and it looks like we should do this.

Per https://www.w3.org/Bugs/Public/show_bug.cgi?id=25339#c4 and https://codereview.chromium.org/265973003 Blink landed this about four months ago. Perhaps we should follow?

(In reply to Anne (:annevk) from comment #5) > Per https://www.w3.org/Bugs/Public/show_bug.cgi?id=25339#c4 and > https://codereview.chromium.org/265973003 Blink landed this about four > months ago. Perhaps we should follow? Yeah. https://tbpl.mozilla.org/?tree=Try&rev=8529a322b45b

https://tbpl.mozilla.org/?tree=Try&rev=913b8d2ed3a0 I'm not removing the encoder and decoder from the tree in this patch in order to avoid rotting my queue. I'll do it as a follow-up.

Comment on attachment 8493629 [details] [diff] [review] Map HZ to replacement, v3 Review of attachment 8493629 [details] [diff] [review]: ----------------------------------------------------------------- ::: intl/uconv/tests/unit/test_bug367026.js @@ -1,1 @@ > -/* Tests conversion from Unicode to HZ-GB-2312 (bug 367026) Could you preserve the test until you remove the encoder and decoder? ::: intl/uconv/tests/unit/test_bug90411.js @@ -1,1 @@ > -/* Test case for bug 90411 Ditto.

(In reply to Masatoshi Kimura [:emk] from comment #8) > ::: intl/uconv/tests/unit/test_bug367026.js > @@ -1,1 @@ > > -/* Tests conversion from Unicode to HZ-GB-2312 (bug 367026) > > Could you preserve the test until you remove the encoder and decoder? I landed with that test preserved. Thanks. https://hg.mozilla.org/integration/mozilla-inbound/rev/75c44bd10b14 > ::: intl/uconv/tests/unit/test_bug90411.js > @@ -1,1 @@ > > -/* Test case for bug 90411 > > Ditto. This one I didn't preserve, because it used a conversion mechanism that doesn't allow Encoding Standard label handling to be bypassed.

sorry had to backout this change since we had test failures in web platform test 2 like https://tbpl.mozilla.org/php/getParsedLog.php?id=48760797&tree=Mozilla-Inbound

(In reply to Carsten Book [:Tomcat] from comment #10) > sorry had to backout this change since we had test failures in web platform > test 2 like > https://tbpl.mozilla.org/php/getParsedLog.php?id=48760797&tree=Mozilla- > Inbound Sorry about that. This is what I get from trying to save tryserver resources. :-( Now I need to learn to work with Web Platform Tests.

James, attachment 8494478 [details] [diff] [review] points out some things where we have expected FAIL. Ideally these tests are updated somehow, including upstream. They probably want to expect the label "replacement", except for the "x-user-defined" one, not sure why that is FAIL.

The expectation just refers to what we expect Gecko to actually do, not what the spec expects. If the tests are wrong per spec they should indeed be fixed upstream. Does one of you have the time to do that? I don't know encoding stuff too well.

Okay, so we fix upstream first? I can help.

(In reply to Henri Sivonen (:hsivonen) from comment #12) > Created attachment 8494478 [details] [diff] [review] > Web Platform expectation addendum > > https://tbpl.mozilla.org/?tree=Try&rev=e82a2a40b497 Weird. Tryserver ran SpiderMonkey tests instead. (In reply to Anne (:annevk) from comment #15) > Okay, so we fix upstream first? Let's fix this in parallel. If fixed upstream gets pulled in first, great. If not, let's land this with expected fail.

Let's see if *this* try run includes Web Platform Tests: https://tbpl.mozilla.org/?tree=Try&rev=c1db47c4471d

(In reply to Henri Sivonen (:hsivonen) from comment #17) > Let's see if *this* try run includes Web Platform Tests: > https://tbpl.mozilla.org/?tree=Try&rev=c1db47c4471d W2 results not shown. Why might that be? W1 and W4 are shown.

Ms2ger pointed out that the results were green but hidden on try.

Landed again: https://hg.mozilla.org/integration/mozilla-inbound/rev/ce22b4d51b72 https://hg.mozilla.org/integration/mozilla-inbound/rev/cabc1a00c2a4 Thanks.

Whole push reverted due to the OS X bustage in: https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=932a92a16c29&jobname=osx.*debug remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/c2d07802d0f4 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/81ef2b9b375b remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/a30b95df07ef

Re-pushed, because the cause of the backout was really bug 964225 and not this one: https://hg.mozilla.org/integration/mozilla-inbound/rev/dabf59a88b55 https://hg.mozilla.org/integration/mozilla-inbound/rev/1abe619810bb

https://hg.mozilla.org/mozilla-central/rev/dabf59a88b55 https://hg.mozilla.org/mozilla-central/rev/1abe619810bb