fix(http): make sure all pages/JS/CSS sent with explicit UTF-8 charset

Fixes #9345
Elgg · Feb 8, 2016 · 3dab7d1 · 3dab7d1
1 parent 332bac1
commit 3dab7d1
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 9 deletions.
diff --git a/engine/classes/Elgg/ActionsService.php b/engine/classes/Elgg/ActionsService.php
@@ -346,9 +346,9 @@ public function ajaxForwardHook($hook, $reason, $return, $params) {
 			// however some browsers will not accept the JSON MIME type.
 			$http_accept = _elgg_services()->request->server->get('HTTP_ACCEPT');
 			if (stripos($http_accept, 'application/json') === false) {
-				header("Content-type: text/plain");
+				header("Content-type: text/plain;charset=utf-8");
 			} else {
-				header("Content-type: application/json");
+				header("Content-type: application/json;charset=utf-8");
 			}
 
 			echo json_encode($params);

diff --git a/engine/classes/Elgg/CacheHandler.php b/engine/classes/Elgg/CacheHandler.php
@@ -191,11 +191,13 @@ protected function sendContentType($view) {
 		$segments = explode('/', $view, 2);
 		switch ($segments[0]) {
 			case 'css':
-				header("Content-Type: text/css", true);
+				header("Content-Type: text/css;charset=utf-8");
 				break;
 			case 'js':
-				header('Content-Type: text/javascript', true);
+				header('Content-Type: text/javascript;charset=utf-8');
 				break;
+			default:
+				header('Content-Type: text/html;charset=utf-8');
 		}
 	}
 

diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
@@ -1510,10 +1510,10 @@ function _elgg_ajax_page_handler($segments) {
 			// Try to guess the mime-type
 			switch ($segments[1]) {
 				case "js":
-					header("Content-Type: text/javascript");
+					header("Content-Type: text/javascript;charset=utf-8");
 					break;
 				case "css":
-					header("Content-Type: text/css");
+					header("Content-Type: text/css;charset=utf-8");
 					break;
 			}
 

diff --git a/index.php b/index.php
@@ -57,6 +57,9 @@
 $router = _elgg_services()->router;
 $request = _elgg_services()->request;
 
+// TODO use formal Response object instead
+header("Content-Type: text/html;charset=utf-8");
+
 if (!$router->route($request)) {
 	forward('', '404');
 }
diff --git a/views/json/page/default.php b/views/json/page/default.php
@@ -8,7 +8,7 @@
  * @uses $vars['body']
  */
 
-header("Content-Type: application/json");
+header("Content-Type: application/json;charset=utf-8");
 
 echo $vars['body'];
 

diff --git a/views/rss/page/default.php b/views/rss/page/default.php
@@ -31,8 +31,8 @@
 
 
 // allow caching as required by stupid MS products for https feeds.
-header('Pragma: public', true);
-header("Content-Type: text/xml");
+header('Pragma: public');
+header("Content-Type: text/xml;charset=utf-8");
 
 echo "<?xml version='1.0'?>";
 echo <<<END