[issue11442] list_directory() in SimpleHTTPServer.py should add charset=... to Content-type header
Guido van Rossum
report at bugs.python.org
Tue Mar 8 20:14:22 CET 2011
Guido van Rossum <guido at python.org> added the comment:
>> It needs to add a charset parameter to the Content-type header.
>
> What is the rationale?
Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11442>
_______________________________________
More information about the Python-bugs-list
mailing list