httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Adding charset to canned responses
Date Sat, 29 Dec 2007 17:22:05 GMT
From 2.2.x/STATUS:

   * Various modules: Add explicit charset to the output of various
modules to work around possible cross-site scripting flaws affecting
web browsers that do not derive the response character set as required
by RFC2616.

Two comments on that: the first trivial, the second more serious:

1. Is ISO-8859-1 right for these?  Sure, it's not wrong (unless
   as in (2) below), but why not label it as plain ASCII?

2. Might ISO-8859-1 be downright wrong in some instances?
   Why should we suppose an FTP directory listing is ISO-8859-1?
   I'd also flag up mod_dav, though I haven't checked how it's
   used there.

This looks like a potential reincarnation of PR#13986.

Nick Kew

Application Development with Apache - the Apache Modules Book

View raw message