UTF-7 Charset Definition

With Optional Content Security Policy and "X-XSS-Protection" Header(s)

(see tables at the bottom of this page)

!!!Fixed by MS15-XXX!!!

It might be MS15-022, or maybe MS15-026, or maybe MS15-033, or maybe MS15-036

Credit: @garethheyes from this blog post


"Spartan"/"Edge" Update:

Microsoft's "Spartan"/"Edge" browser respects the Content Security Policy header. Properly utilized, it will prevent this type of injection from working.

This does not fix the underlying issue, and expecting every website everywhere to add correctly formatted Content Security Policy HTTP response headers is unrealistic.


The injection contains a UTF-7 Charset Definition that overrides the default UTF-8 Charset Definition. The injected JavaScript should execute automatically.

For this injection to work, there are three prerequisites that must be met:

  1. The Content-Type HTTP Response header must have a text/html directive.
  2. The Content-Type HTTP Response header must have a blank or missing charset directive.
  3. The injection must either land:

If you have your own external JavaScript (.js) or plain text file you wish to use, enter its URL/URI here:


Injection onto a blank page with no <meta charset="something"> or <meta http-equiv="content-type" content="text/html; charset=something"> HTML tag.

Source of "charsetInjectionBlankPage.php"

Try this partially UTF-7-Encoded injection:


Injection onto a page higher up than the <meta charset="something"> or <meta http-equiv="content-type" content="text/html; charset=something"> HTML tag.

Source of "charsetInjectionBefore.php"

Try this partially UTF-7-Encoded injection:


The following example will not work, as the injection lands after the charset definition.
It is included to demonstrate this behavior.

Injection onto a page after the <meta charset="something"> or <meta http-equiv="content-type" content="text/html; charset=something"> HTML tag.

Source of "charsetInjectionAfter.php"

Try this partially UTF-7-Encoded injection:




Table 1 of 2: To add the Content Security Policy header of choice, refer to the following table:

Content Security Policy Options
CSP header(s) desired HTTP Response Header(s) Query string parameter/value pair Add to injection
None N/A N/A
All 3 CSP Headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=0
Just the Official CSP Header (Chrome 25+, Firefox 23+, Opera 19+, "Spartan"/Edge") Content-Security-Policy: script-src 'self'; csp=1
Just the header recognized by Internet Explorer 10 & 11 X-Content-Security-Policy: script-src 'self'; csp=2
Just the header recognized by Chrome 14 through 24 & Safari 6+ X-Webkit-CSP: script-src 'self'; csp=3
Both the Official and Internet Explorer-recognized headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
csp=4
Both the Official and Chrome 14 through 24 & Safari 6+-recognized headers Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=5
Both the Internet Explorer-recognized and Chrome 14 through 24 & Safari 6+-recognized headers X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=6


Table 2 of 2: To add the X-XSS-Protection header of choice, refer to the following table:

X-XSS-Protection Options
X-XSS-Protection desired HTTP Response Header Query string parameter/value pair Add to injection
None N/A N/A
Disable XSS protection X-XSS-Protection: 0 xph=0
Enable XSS protection X-XSS-Protection: 1 xph=1
Enable XSS protection, block rendering of the page X-XSS-Protection: 1; mode=block xph=2

Back to main page