Content Character Encoding is not Defined
Web browsers need to be aware of the encoding of characters to display it right. When the character encoding is not explicitly defined, the browser has to either guess the encoding or use a default encoding. This will allow attackers to use different encodings like UTF-7 to exploit vulnerabilities like XSS.
Send character encoding in HTTP header as shown below:
Content-Type: text/html; charset=UTF-8
or use HTML Meta tags like below:
< META http-equiv="Content-Type" content = "text/html; charset=UTF-8" >