All system files generated dynamically must have an explicitly defined character set (charset).
CAPEC-242: Code Injection. An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.
CWE-116: Improper Encoding or Escaping of Output. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
CWE-173: Improper Handling of Alternate Encoding. The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.
OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.1) Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).