Prompted by a recent message about SERVER_NAME, I took a look at some of the default error page SSIs. And they have '#echo encoding="none" var="..."' sprinkled in all sorts of places.
Please, do NOT do this. The ONLY place to use encoding=none is where you know the variable is being set by something that has already properly encoded or filtered any user supplied input, _AND_ we explicitly want any HTML in the variable to be rendered as HTML. It would probably be wise to try to have a list somewhere in the docs of the select subset of server set variables that fall into this category. Things like: ./docs/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var: die <!--#echo encoding=" none" var="REDIRECT_REQUEST_METHOD"-->-Methode are just security holes waiting to happen, and things like: ./docs/error/include/bottom.html: <small><!--#echo encoding="none" var="DATE_LO CAL" --></small> while not exploitable, are just nonsensical since if there are any characters that need to be encoded in there, then not doing so will just result in bogus data going to the browser. The default of using entity encoding is fine in the vast majority of cases, and only has to be overridden if we need URL encoding or if we hit a special case like ERROR_NOTES where we don't want to do any encoding.
