"charset=utf-8" definition is missing in \templates\system\error.php

I'm not an expert, but this could bring a risk of reflected XSS on the "Home Page" link of the error page.

Insert following line right after <head>:
<meta http-equiv="content-type" content="text/html; charset=utf-8" />

Additional fix:
While at at, also fix XHTML validation issue with <ul> being inside <p>. ( List elements (in particular, ol and ul elements) cannot be children of p elements - see ) I.e. remove <p> line before <ul> and the </p> line after </ul>.

Here is the complete patch:
@@ -21,2 +21,3 @@
+ <meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title><?php echo $this->error->code ?> - <?php echo $this->title; ?></title>

@@ -43,3 +44,2 @@
<p><strong><?php echo JText::_('Please try one of the following pages:'); ?></strong></p>
- <p>

@@ -47,3 +47,2 @@
- </p>
<p><?php echo JText::_('If difficulties persist, please contact the system administrator of this site.'); ?></p>

Test after fix:
Validate the error page HTML code (e.g. open a non-existing URL of your website to get a "404 Page not found" error) on Either by providing a link to the page to the validator, if on a public server, or by pasting the page HTML source code copied from a browser. Make sure there are neither validation errors nor warnings.
Note: If validating using a link, the "Validate error pages" checkbox under "More Options" of the validator will need to be activated.

The missing charset definition issue affects current Joomla versions too. I'm going to submit a separate bug report for them and post it here later.
Opened On:
10 Aug 2013, 19:47 by Jonny Roger

Filed Under

  • Administrator


Posted on 10 Aug 2013, 20:12 by Jonny Roger
Submitted following bug report for the currently supported versions of Joomla:
Posted on 17 Aug 2013, 11:46 by Jonny Roger

P.S.: To prevent a possible mis-alignment with the site-globally configured character encoding, the following line above:
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
could be replaced with the following line:
<meta http-equiv="content-type" content="text/html; charset=<?php echo $this->getCharset(); ?>" />
That would use the character encoding of the site, instead of hard-coding it to "utf-8". Although it is advisable to have the character encoding of the site set to "utf-8" (which is Joomla default, i.e. don't change it in the first place), as described in
Posted on 8 Sep 2013, 12:57 by Jonny Roger

Also, as additional hardening, following on lines 37 and 54:

  echo $this->error->message

should be changed to:

  echo htmlspecialchars($this->error->message, ENT_QUOTES, 'UTF-8')