public class AddDefaultCharsetFilter
extends java.lang.Object
Filter that explicitly sets the default character set for media subtypes of
the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must
use ISO-8859-1 in these circumstances. However, browsers may attempt to
auto-detect the character set. This may be exploited by an attacker to
perform an XSS attack. Internet Explorer has this behaviour by default. Other
browsers have an option to enable it.
This filter prevents the attack by explicitly setting a character set. Unless
the provided character set is explicitly overridden by the user - in which
case they deserve everything they get - the browser will adhere to an
explicitly set character set, thus preventing the XSS attack.