Author gvanrossum
Recipients barry, benjamin.peterson, gvanrossum, orsenthil, pitrou
Date 2011-03-08.19:14:21
SpamBayes Score 0.107394
Marked as misclassified No
Message-id <AANLkTikckuHFt9BKdM+qyF20+rUZYdu-cGq97jzRsu1Q@mail.gmail.com>
In-reply-to <1299611345.11.0.243305359268.issue11442@psf.upfronthosting.co.za>
Content
>> It needs to add a charset parameter to the Content-type header.
>
> What is the rationale?

Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks.
History
Date User Action Args
2011-03-08 19:14:22gvanrossumsetrecipients: + gvanrossum, barry, orsenthil, pitrou, benjamin.peterson
2011-03-08 19:14:21gvanrossumlinkissue11442 messages
2011-03-08 19:14:21gvanrossumcreate