Thanks to Mark Pilgrim HTML5: up and running O'Reilly, 2010.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<link rel="stylesheet" href="XXXXXXX.css" />
</head>
<body>
</body>
</html>
Security vulnerability
When the web server does not include an explicit character encoding in its HTTP response -- be it in the Content-Type HTTP Header or the META tag in the HTML itself -- Internet Explorer will attempt to guess the encoding. If certain strings of user input -- say, +ADw-script+AD4-alert(1)+ADw-/script+AD4- -- are echoed back early enough in the HTML page, Internet Explorer may incorrectly guess that the page is encoded in UTF-7. Suddenly, the otherwise harmless user input becomes active HTML and will execute.
Solution
Always set a character encoding, either in the HTML itself or in the Content-Type HTTP header. Of course, you need to ensure that it corresponds with the actual encoding you're using. Declaring an incorrect charset can be worse than not setting one at all.
To set the encoding with the HTML document, use a <meta> tag: <meta charset="utf-8">