Seems that I was wrong and Brian Eaton <eaton.lists@xxxxxxxxx> was right: default apache installations seem to return an explicit charset in their error message. (Now I cannot explain how I convinced myself otherwise.) Then there is no Universal XSS against default Apache webservers... Cheers, Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia