On 12/29/2007 06:22 PM, Nick Kew wrote: > From 2.2.x/STATUS: > > * Various modules: Add explicit charset to the output of various > modules to work around possible cross-site scripting flaws affecting > web browsers that do not derive the response character set as required > by RFC2616. > > Two comments on that: the first trivial, the second more serious: > > 1. Is ISO-8859-1 right for these? Sure, it's not wrong (unless > as in (2) below), but why not label it as plain ASCII? > > 2. Might ISO-8859-1 be downright wrong in some instances? > Why should we suppose an FTP directory listing is ISO-8859-1?
I have a patch in the pipe that makes this configurable for mod_proxy_ftp. But we thought for the first shot it might be easier to hardcode the charset. See further discussion on [EMAIL PROTECTED] > I'd also flag up mod_dav, though I haven't checked how it's > used there. I have already checked this. IMHO it is only used for error messages and the user supplied data are only URIs which might be in UTF-8 in the future but mostly not now. Furthermore it is questionable if WebDAV clients display these error messages at all, because not all of them are browsers and able to render HTML. Regards RĂ¼diger
