Class AddDefaultCharsetFilter

java.lang.Object
org.apache.catalina.filters.FilterBase
org.apache.catalina.filters.AddDefaultCharsetFilter
All Implemented Interfaces:
Filter

public class AddDefaultCharsetFilter extends FilterBase
Filter that explicitly sets the default character set for media subtypes of the "text" type to ISO-8859-1, or another user defined character set. RFC2616 explicitly states that browsers must use ISO-8859-1 if no character set is defined for media with subtype "text". However, browsers may attempt to auto-detect the character set. This may be exploited by an attacker to perform an XSS attack. Internet Explorer has this behaviour by default. Other browsers have an option to enable it.
This filter prevents the attack by explicitly setting a character set. Unless the provided character set is explicitly overridden by the user - in which case they deserve everything they get - the browser will adhere to an explicitly set character set, thus preventing the XSS attack.