This vulnerability occurs when the application does not properly set its response character set, allowing an attacker to manipulate the HTML and potentially inject malicious code. A compromised charset declaration can be used to bypass server-side XSS protections and embed scripts in the page.
Ensure that all charset declarations are set to UTF-8. If user-input is required to decide a charset declaration, only allow a specific list of values.