Arc Forumnew | comments | leaders | submitlogin
2 points by byronsalty 6166 days ago | link | parent

So I should this be a srv startup option (to support utf-8)? And then all Content-Type: text/html should become Content-Type: text/html;charset=utf-8 ?

That would be easy to add to the header stuff I was working on yesterday. Can probably do that tonight.



2 points by olavk 6166 days ago | link

Cool. I don't think it should be an option though, since the server generates utf-8 anyway - it just doesn't label it correctly. I can't imagine when it would be useful _not_ to indicate the encoding.

-----

7 points by kens 6166 days ago | link

Not indicating the encoding leaves you vulnerable to an XSS attack. For instance, the following looks harmless, but if you don't set the encoding explicitly it can get executed if your browser is set to UTF-7, or auto-detects to UTF-7:

+ADw-script+AD4-alert('XSS')+ADw-/script+AD4-

Edit to add some explanation: if displayed as UTF-7, the above will pop up a "XSS" alert box. It's just an example; it doesn't actually do anything bad but it shows the potential for malicious XSS. A key point is that HTML-escaping your output or filtering out HTML tags isn't enough, since innocuous-looking characters can cause problems if the encoding is misinterpreted.

-----