On Tue, 6 Jul 2004, Matthew Wilcox wrote: > On Tue, Jul 06, 2004 at 07:10:10AM +0200, Fabio Massimo Di Nitto wrote: > > This thing has been discussed over and over. This is the last reference to > > it: > > > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211889&archive=yes > > > > Since setting AddDefaultCharset off can imply security problem we will > > never switch it to off. For more information please check the previous URL > > and the apache documentation on httpd.apache.org > > I think the real bug here is in the html specification -- it says the > server's setting overrides the document's setting, which just seems daft. > > My understanding of the security problem is that you need to always set > _some_ charset encoding. So I think it'd be a good idea to always set > utf-8 rather than latin1 in new installations.
The reason why i didn't change default setting is because all the internal error pages uses latin1 (AddDefaultCharset on) and i didn't want to create a discrepancy between the config and the internal pages. Fabio -- <user> fajita: step one <fajita> Whatever the problem, step one is always to look in the error log. <user> fajita: step two <fajita> When in danger or in doubt, step two is to scream and shout.
