Jinja check: Missing meta content type

HTML documents should include a Content-Type declaration in the <head> of the document. This declaration provides defense-in-depth against the browser incorrectly interpreting the character encoding of the document. The character encoding can impact the security of the web page.

Description

Web pages missing a <meta> Content-Type declaration may be vulnerable to many different esoteric forms of XSS attacks, such as Javascript execution via CESU-8, UTF-7, BOCU-1, or SCSU encoding.

This declaration provides additional defense-in-depth on top of setting the <meta> charset. Including the <meta> Content-Type provides protection when using the file:// protocol or when using older browsers.

This check will detect the following case.

<html>
  <body>
    ...
  </body>
</html>

The check will consider the following cases acceptable.

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  </head>
  <body>
    ...
  </body>
</html>

References