Categories
html response content does not specify a character set
Organization Name (Required - If you are an Oracle Partner, please provide the organization you are logging the idea on behalf of):
Transportation Security Administration
Description (Required):
If a response states that it contains HTML content but does not specify a character set, then the browser may analyze the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters. In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of affected responses, and the context in which they appear, to determine whether any vulnerability exists.
Background: potential vulnerability reported by Nessus Application Burp Scan
Issue remediation:
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognized character set, for example charset=ISO-8859-1.
RE: SR 3-30560928911 - enhancement request recommended by Eric Holland
Use Case and Business Need (Required):
security vulnerability
Enhancement Request / Service Request:
Enhancement Request
Comments
-
Is there any update on this enhancement request?
0