Is it safe to rely on Content-Type: text/plain to mitigate malicious javascript execution in response?

Question

we have a web application that returns

---

HTTP/1.1 400 Bad Request
...
Content-Type: text/plain;charset=UTF-8
Content-Length: 57
Date: Tue, 14 Apr 2015 19:24:54 GMT
Connection: close

Invalid project area item id 

<script>alert(1086)</script>

---

It is my understanding that relying on Content-Type: text/plain;charset=UTF-8 as the defense to prevent javascript from executing is NOT enough. Rather the output should be encoded, and the input should likely be input validated and garbage thrown out.

What I'm looking for is some crystal clear and official answer on the right approach for handling responses that have javascript where the Content-Type has been set to text/plain.

Anyone have a link (or answer) to an official example of this scenario and right way to handle it? Or is Content-Type: text/plain;charset=UTF-8 all that is needed?

Answer 1

https://www.rfc-editor.org/rfc/rfc2046 'text/plain' should not process instruction kind, and is seen simply as a linear sequence of characters.