UTF-7 XSS attacks in modern browsers

This exploit is only possible in old versions of Internet Explorer. Modern browsers will not auto detect the encoding as UTF-7.

OWASP:-

This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported.

Wikipedia:-

To mitigate this problem systems should perform decoding before validation and should avoid attempting to autodetect UTF-7. Older versions of Internet Explorer can be tricked into interpreting the page as UTF-7.


Chrome and Firefox seem to no longer support UTF-7 in any format. The HTML5 specification says:

User agents must support the encodings defined in the WHATWG Encoding standard. User agents should not support other encodings.

User agents must not support the CESU-8, UTF-7, BOCU-1 and SCSU encodings. [CESU8] [UTF7] [BOCU1] [SCSU]

Support for encodings based on EBCDIC is especially discouraged. This encoding is rarely used for publicly-facing Web content. Support for UTF-32 is also especially discouraged. This encoding is rarely used, and frequently implemented incorrectly.