DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23421>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23421 Remove AddDefaultCharset from httpd.conf as shipped ------- Additional Comments From [EMAIL PROTECTED] 2003-09-26 03:40 ------- OK, I think we need a clarification. We are not requesting the command AddDefaultCharset be eliminated. We are requesting that its use in the default configuration to set the charset to iso 8859-1 be eliminated. As for the security risk, the significant piece of the referenced document seems to be: "In addition, web pages should explicitly set a character set to an appropriate value in all dynamically generated pages. " We can all agree with this. The problem is iso 8859-1 is not an appropriate value for the majority of configurations. The article references that this used to be the default for some of the web standards and is no longer the case. It is because it is not the best choice in the majority of cases, even in English speaking markets these days, that it is no longer the default. Perhaps a better compromise solution is to at least ask the administrator what the value should be during the installation and provide a list of the most common encodings for them to choose from. Or default to UTF-8 and let people know clearly that is what you use. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
