Oracle Analytics Cloud and Server Idea Lab

Products Banner

html response content does not specify a character set


Organization Name (Required - If you are an Oracle Partner, please provide the organization you are logging the idea on behalf of):

Transportation Security Administration

Description (Required):

If a response states that it contains HTML content but does not specify a character set, then the browser may analyze the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters. In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of affected responses, and the context in which they appear, to determine whether any vulnerability exists.

Background: potential vulnerability reported by Nessus Application Burp Scan

Issue remediation:

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognized character set, for example charset=ISO-8859-1.

RE: SR 3-30560928911 - enhancement request recommended by Eric Holland

Use Case and Business Need (Required):

security vulnerability

Enhancement Request / Service Request:

Enhancement Request

4 votes

Submitted · Last Updated