jinjalint-meta-charset

tl;dr HTML documents should include a <meta> Content-Type declaration in the <head> of the document. This declaration provides defense-in-depth against the browser incorrectly interpreting the character encoding of the document. The character encoding can impact the security of the web page.

Description

Web pages missing a <meta> Content-Type declaration may be vulnerable to many different esoteric forms of XSS attacks, such as Javascript execution via CESU-8, UTF-7, BOCU-1, or SCSU encoding.

This declaration provides additional defense-in-depth on top of setting the <meta> charset. Including the <meta> Content-Type provides protection when using the file:// protocol or when using older browsers.

This check will detect the following case.

<html>
    <body>
        ...
    </body>
</html>

The check will consider the following cases acceptable.

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body>
        ...
    </body>
</html>

References