All system files generated dynamically must have an explicitly defined character set (charset).
CAPEC-242: Code Injection: An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.
CWE-116: Improper Encoding or Escaping of Output: The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
CWE-173: Improper Handling of Alternate Encoding: The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.
OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.1): Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).