From 2.2.x/STATUS: * Various modules: Add explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616.
Two comments on that: the first trivial, the second more serious: 1. Is ISO-8859-1 right for these? Sure, it's not wrong (unless as in (2) below), but why not label it as plain ASCII? 2. Might ISO-8859-1 be downright wrong in some instances? Why should we suppose an FTP directory listing is ISO-8859-1? I'd also flag up mod_dav, though I haven't checked how it's used there. This looks like a potential reincarnation of PR#13986. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
