Security Vulnerabilities without <meta chartset=<<"any-encoding">> /> tag?

Question

I have read somewhere that it is good practice to declare the character set

 <meta charset="utf-8">

of your document to protect against a serious security risk.

what are the risks if someone don't define character set in html document?

Answer 1

There is a class of XSS known as UTF-7 XSS.

Under this encoding +ADw- renders as < and +AD4- renders as >. This makes it possible for an attacker to inject

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

and have it rendered and interpreted by the browser as

<script>alert(document.location)</script>

. Old versions of Internet Explorer auto detect the charset. Therefore, if no charset is specified in a response header or a meta tag then the output of sequences such as +ADw "trick" Internet Explorer into rendering the page using UTF-7 making any such injected script execute. This gives rise to the XSS vulnerability.