Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2006-42

Web site XSS using BOM on UTF-8 pages

June 1, 2006
Masatoshi Kimura
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • SeaMonkey 1.0.2
  • Thunderbird


Masatoshi Kimura reports that the Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page. As a result the parser will see and process script tags that web input sanitizers may miss because they appear as "scr[BOM]ipt" or similar in the comment code on the web site.

Although Firefox and later will be fixed and no longer accept such script tags, web sites will continue to be visited by older versions of Firefox and Mozilla browsers. Web sites can protect themselves by explicitly setting the character encoding to something other than UTF-8, or by adding the Unicode byte-order marks to the repertoire of the site's input sanitizer.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.


Users can protect themselves by disabling JavaScript on sites that allow community input until they can upgrade to a fixed version.

Sites can protect their users by stripping the BOM from web input or, if appropriate, specifying a character encoding other than UTF-8.