Guido van Rossum <[email protected]> added the comment: >> It needs to add a charset parameter to the Content-type header. > > What is the rationale?
Without a charset parameter, IE7 engages in encoding-sniffing and can be enticed to interpret the output as UTF7. This allows an attacker to hide e.g. <script> tags in UTF-7 encoded characters which do not get quoted by cgi.encode(). This allows XSS attacks. ---------- _______________________________________ Python tracker <[email protected]> <http://bugs.python.org/issue11442> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
