Message 130349 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gvanrossum
Recipients	barry, benjamin.peterson, gvanrossum, orsenthil, pitrou
Date	2011-03-08.19:14:21
SpamBayes Score	0.107394
Marked as misclassified	No
Message-id	<AANLkTikckuHFt9BKdM+qyF20+rUZYdu-cGq97jzRsu1Q@mail.gmail.com>
In-reply-to	<1299611345.11.0.243305359268.issue11442@psf.upfronthosting.co.za>

Content
>> It needs to add a charset parameter to the Content-type header. > > What is the rationale? Without a charset parameter, IE7 engages in encoding-sniffing and can be enticed to interpret the output as UTF7. This allows an attacker to hide e.g. <script> tags in UTF-7 encoded characters which do not get quoted by cgi.encode(). This allows XSS attacks.

>> It needs to add a charset parameter to the Content-type header.
>
> What is the rationale?

Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks.

History
Date	User	Action	Args
2011-03-08 19:14:22	gvanrossum	set	recipients: + gvanrossum, barry, orsenthil, pitrou, benjamin.peterson
2011-03-08 19:14:21	gvanrossum	link	issue11442 messages
2011-03-08 19:14:21	gvanrossum	create