Perlfect Solutions
 

[Perlfect-search] sending an HTTP charset header

Daniel Naber perlfect-search@perlfect.com
Sat, 22 May 2004 00:17:49 +0200
On Thursday 20 May 2004 17:48, webmaster wrote:

> print "Content-Type: text/html; charset=", $CHARSET, "\n\n";
>
> I thought I'd ask what the developer(s) thought of this. Is there
> anything crucial that I've overlooked?

That is indeed a little bit cleaner than the <meta> tag. However, changing 
it from iso-8895-1 to something else doesn't make much sense usually, as 
you have to search with the same encoding that has been used for indexing. 
But Perlfect Search only supports indexing iso-8895-1.

> Also, in a comment on results page template, there's a note about the
> importance of declaring a charset to prevent cross site attacks. How is
> such an attack carried out, and how does the charset prevent it? Just
> curious about that.

It is mentioned in the CERT advisory about cross site scripting, but I 
think it only possible in theory. If a browser uses a charset that's 
different from the known charsets, even for the US-ASCII part, different 
characters may be interpreted as HTML special characters. But these are 
not escaped by the script. I'm not sure such an encoding is implemented in 
any browser today.

Regards
 Daniel

-- 
http://www.danielnaber.de