This article is a part of our Web Security Knowledge Base (back to index)

Why Charset Mismatch can be dangerous

When there’s charset mismatch between the HTTP header and content body web browsers can be forced into an undesirable content-sniffing mode to determine content’s correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. If an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.

How to fix Charset Mismatch

Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML.

How does ScanRepeat report Charset Mismatch

ScanRepeat identifies HTTP responses where the ‘Content-Type’ header declares a charset different from the charset defined in the XML encoding declaration. It reports every occurrence of this kind of mismatch, giving the url and the encoding declarations which have been found.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free