- add note on security impact of suppress-error-charset for broken

browsers git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@595288 13f79535-47bb-0310-9956-ffa450edef68
2025-08-20 16:09:55 +00:00 · 2007-11-15 12:25:14 +00:00
parent 3e236f8b24
commit f808375746
1 changed files with 13 additions and 0 deletions
--- a/docs/manual/env.xml
+++ b/docs/manual/env.xml
@ -364,6 +364,19 @@
    set for the redirection text, and these broken browsers will then correctly
    use that of the destination page.</p>

+    <note type="warning">
+      <title>Security note</title> 
+
+      <p>Sending error pages without a specified character set may
+      allow a cross-site-scripting attack for existing browsers (MSIE)
+      which do not follow the HTTP/1.1 specification and attempt to
+      "guess" the character set from the content.  Such browsers can
+      be easily fooled into using the UTF-7 character set, and UTF-7
+      content from input data (such as the request-URI) will not be
+      escaped by the usual escaping mechanisms designed to prevent
+      cross-site-scripting attacks.</p>
+    </note>
+
   </section>

   <section id="proxy"><title>force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked, proxy-sendcl</title>