The meta charset mysteries

The Mozilla documentation for the meta element - charset states the following in its Notes section:

It is good practice, and strongly recommended, to define the character set using this attribute. If no character set is defined for a page, several cross-scripting techniques may become practical to harm the page user, like the UTF-7 fallback cross-scripting technique. Always setting this meta will protect against these risks.

It also states that:

Authors are encouraged to use UTF-8.

Specifying a charset, for example,

<meta charset="utf-8">

in the head of your HTML document helps protect against cross-site scripting attacks.

Here's an example of an attack on Google: Google's XSS Vulnerability.

Paul Irish talks about this in his The Fundamentals, Primitives and History of HTML5 video.

Also, according to the Mozilla docs, it's important to place the charset declaration within the first 512 bytes of your HTML file as some browsers only look at these first bytes before choosing a character set for the page.


comments powered by Disqus