Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16806 | APP3530 | SV-17806r1_rule | DCSQ-1 | Medium |
Description |
---|
For web applications, setting the character set on the web page reduces the possibility of receiving unexpected input that uses other character set encodings by the web application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17804r1_chk ) |
---|
Ask the application representative to review web pages, and determine if the application sets the character set. Perl After the last header look for print "Content-Type: text/html; charset=utf-8\n\n"; PHP. Look for the header() function before any content is generated header('Content-type: text/html; charset=utf-8'); Java Servlets. Look for the setContentType method on the ServletResponse object Objectname.setContentType ("text/html;charset=utf-8"); JSP. Look for a page directives <%@ page contentType="text/html; charset=UTF-8" %> ASP Look for Response.charset <%Response.charset="utf-8"%> ASP.Net Look for Response.ContentEncoding Response.ContentEncoding = Encoding.UTF8; 1) If the application representative cannot demonstrate the above, it is a finding. |
Fix Text (F-17095r1_fix) |
---|
Set the character set on all web pages. |