httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: removing AddDefaultCharset from config file
Date Fri, 10 Dec 2004 12:19:52 GMT
On Fri, Dec 10, 2004 at 02:12:25AM -0800, Roy T. Fielding wrote:
> I've looked back at the Jan-Feb 2000 discussion regarding cross-site
> scripting in an attempt to find out why AddDefaultCharset is being
> set to iso-8859-1 in 2.x (but not in 1.3.x).  I can't find any rationale
> for that behavior -- in fact, several people pointed out that it would
> be inappropriate to set any default, which is why it was not set in 1.3.
> 
> The purpose of AddDefaultCharset is to provide sites that suffer from
> poorly written scripts and cross-site scripting issues an immediate
> handle by which they can force a single charset.  As it turns out,
> forcing a charset does nothing to reduce the problem of cross-site
> scripting because the browser will either auto-detect (and switch) or
> the user, upon seeing a bunch of gibberish, will go up to the menu and
> switch the charset just out of curiosity.  The real solutions were to
> stop reflecting client-provided data back to the browser without first
> carefully validating or percent-encoding it.

My understanding was that the forced default charset *does* prevent
browsers (or maybe, MSIE) from guessing the charset as UTF-7; UTF-7
being the special case as it's already an "escaped" encoding and hence
defies normal escaping-of-client-provided-data tricks.  Is that not
correct?

joe

Mime
View raw message