Express adding charset to Content-Type

[julien51]

We found that by default Express adds the utf-8 charset by default to the Content-Type string. But does it always make sense? The W3C spec says:

Documents transmitted with HTTP that are of type text, such as text/html, text/plain, etc., can send a charset parameter in the HTTP header to specify the character encoding of the document.

However, sometimes people use Content-Typewhich are not text based, like application/... and in their cases, it probably not blindly add charset:utf-8.

[dougwilson]

We do this to protect you from certain attacks. If you don't want it added, then either don't use res.send or give res.send a Buffer instead of a string (since Buffer is not text and a string is text).

[juliankrispel]

@dougwilson Maybe documenting that somewhere would be a good idea?

[dougwilson]

@juliankrispel I didn't realize it wasn't, I'm sorry! Please open an issue at https://github.com/strongloop/expressjs.com (or even a PR), to get this documented :)! We implemented it because Express was seriously exploited previously, enough to get us not doing this CVE-2014-6393.