For strings where length % 4 == 2 or length % 4 == 3 atob does not verify that the lower bits of that last base64 character should be zero. For example atob("QR==") gives "A" when the correct encoding for "A" is "QQ==". Similarly atob("QUG=") gives "AA" when the correct encodig for "AA" is "QUE=".
See the spec at http://www.whatwg.org/specs/web-apps/current-work/#dom-windowbase64-atob step 10 and the Note right after it.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
(In reply to Boris Zbarsky (:bz) from comment #1) > See the spec at > http://www.whatwg.org/specs/web-apps/current-work/#dom-windowbase64-atob > step 10 and the Note right after it. Any reason for that? It is strange that length % 4 == 1 that effectively provides 6 garbage bits is an error according to the step 5 while length % 2 == 2 and 4 garabage bits is not...
I expect the reason is that every UA does it that way already so changing it would be a web compat risk for no particularly good reason... Furthermore, nothing else I've found anywhere defines base64 decoding, so there is no other spec that we're violating here, as far as I can tell.
You need to log in before you can comment on or make changes to this bug.