by danhau 7 days ago
> However, when decoding, we must handle errors and skip spaces.
This had me scratching my head. Why would a base64 decoder need to skip spaces? But indeed, MDN documents this behavior:
> Note that: The whitespace in the space is ignored.
JS never ceases to surprise. Also, check out that typo :D
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...
Probably so you can put in line breaks? Seems common in base64 data, such as armored PGP keys or emails attachments. HTML attributes allow line breaks, although I haven’t seen it done for base64 images.
This might be for compatibility with XML Schema base64Binary, which collapses all whitespace (such as line breaks) to single spaces.
So technically it’s now possible to hide a payload in somewhat human-readable text, as long as it base64-decodes.
Now? There's no change. Also human readable text substantially consists of letters. But that's most of the base64 alphabet too. So this isn't like steganography. All the letters in the human-readable words are valid base64 characters too. The only thing about this is that you get to choose where to put the spaces and newlines. You can't exactly construct arbitrary payloads starting from arbitrary messages.
Maybe he means invisible whitespace characters that don't render? I haven't verified this but depending on the definition of whitespace it's possible you can pass a base64 string and insert an arbitrary number of them. When decoded per spec they do nothing so nobody notices them. But if you can pass the base64 string through you can receive or verify the hidden message. Lots of reasons you might want to hide data in plain sight.
What do you mean hide a payload?
Base64 isn’t obfuscation or encryption.