Nick Kew wrote:
From 2.2.x/STATUS:
* Various modules: Add explicit charset to the output of various
modules to work around possible cross-site scripting flaws affecting
web browsers that do not derive the response character set as required
by RFC2616.
Two comments on that: the first trivial, the second more serious:
1. Is ISO-8859-1 right for these? Sure, it's not wrong (unless
as in (2) below), but why not label it as plain ASCII?
They are all text/html. RFC2616 clearly defined them as ISO-8859-1
in the absence of any other charset tag.
