Message130349
>> It needs to add a charset parameter to the Content-type header.
>
> What is the rationale?
Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks. |
|
Date |
User |
Action |
Args |
2011-03-08 19:14:22 | gvanrossum | set | recipients:
+ gvanrossum, barry, orsenthil, pitrou, benjamin.peterson |
2011-03-08 19:14:21 | gvanrossum | link | issue11442 messages |
2011-03-08 19:14:21 | gvanrossum | create | |
|