They don't have to use it directly.

GET / HTTP/1.0

Accept-Language: en;q=2.2250738585072012e-308

If you're running Tomcat and you call getLocale() on that servlet request, you're toast.

This is precisely why "q" is defined only to accept three digits after the decimal. It's actually not a floating point number, and anyone who parses it as such is just being lazy.

"q" is more properly represented natively as an integer between 0 and 1000.

apparently q is not properly parsed in JBoss which is based on apache tomcat scaring not?