On Fri, Dec 10, 2004 at 02:12:25AM -0800, Roy T. Fielding wrote: > I've looked back at the Jan-Feb 2000 discussion regarding cross-site > scripting in an attempt to find out why AddDefaultCharset is being > set to iso-8859-1 in 2.x (but not in 1.3.x). I can't find any rationale > for that behavior -- in fact, several people pointed out that it would > be inappropriate to set any default, which is why it was not set in 1.3. > > The purpose of AddDefaultCharset is to provide sites that suffer from > poorly written scripts and cross-site scripting issues an immediate > handle by which they can force a single charset. As it turns out, > forcing a charset does nothing to reduce the problem of cross-site > scripting because the browser will either auto-detect (and switch) or > the user, upon seeing a bunch of gibberish, will go up to the menu and > switch the charset just out of curiosity. The real solutions were to > stop reflecting client-provided data back to the browser without first > carefully validating or percent-encoding it.
My understanding was that the forced default charset *does* prevent browsers (or maybe, MSIE) from guessing the charset as UTF-7; UTF-7 being the special case as it's already an "escaped" encoding and hence defies normal escaping-of-client-provided-data tricks. Is that not correct? joe
