slimphp
add charset=utf-8 to withJson response
Requesting the addition of a charset with the withJson response. This PR sets it to uff-8; maybe a parameter with a default value would be preferable.
I'm not sure adding charset=utf-8 really has an effect since the default JSON text encoding is UTF-8.
I'm not sure adding
charset=utf-8really has an effect since the default JSON text encoding is UTF-8.
Hi, thanks for your review! The absence of the explicitly declared charset was picked up by our security scanner. Here is an explanation:
The encoding hasn't been declared either through the meta-tag, the byte-order-mark or the header, so the browser will make an attempt to detect the document's encoding. This exploit only works if the document reflects user input and the browser can be tricked into encoding the page as UTF-7 instead of UTF-8. Some of the browsers actually support UTF-7.
But I am also seeing that is exploit is pretty old and maybe not possible any more:
Older versions of Internet Explorer can be tricked into interpreting the page as UTF-7. This can be used for a cross-site scripting attack as the < and > marks can be encoded as +ADw- and +AD4- in UTF-7, which most validators let through as simple text. (https://en.wikipedia.org/wiki/UTF-7#Security)
What do you think of allowing users to set the charset with an optional parameter, and having no charset by default?
The test "testPathWithMultipleSlashes" also failed for me before I made any changes. This failure pre-exists changes from this PR.
Coverage remained the same at 100.0% when pulling 3ad3e56256f5ee4259eee2b0cf5317ae134317b5 on pzzd:withjson-charset into 609b5e9d053ce2da52c2f380e4f7420d81b44480 on slimphp:master.
The application/json media type does not support charset as per https://www.iana.org/assignments/media-types/application/json.
