Jinja check: Missing meta charset

HTML documents should include a charset declaration in the <head> of the document. This prevents the browser from incorrectly interpreting the character encoding of the document. The character encoding can impact the security of the web page.

Description

Web pages missing a <meta> charset declaration may be vulnerable to many different esoteric forms of XSS attacks, such as Javascript execution via CESU-8, UTF-7, BOCU-1, or SCSU encoding.

This check will detect the following case.

<html>
  <body>
    ...
  </body>
</html>

The check will consider the following cases acceptable.

<html>
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    ...
  </body>
</html>

References