This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gvanrossum
Recipients barry, benjamin.peterson, gvanrossum, orsenthil, pitrou
Date 2011-03-08.19:14:21
SpamBayes Score 0.107394
Marked as misclassified No
Message-id <>
In-reply-to <>
>> It needs to add a charset parameter to the Content-type header.
> What is the rationale?

Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks.
Date User Action Args
2011-03-08 19:14:22gvanrossumsetrecipients: + gvanrossum, barry, orsenthil, pitrou, benjamin.peterson
2011-03-08 19:14:21gvanrossumlinkissue11442 messages
2011-03-08 19:14:21gvanrossumcreate