Commit 6baece1e authored by Steven Wittens's avatar Steven Wittens

- Clarify utf-7 exploit in drupal_set_header()

parent 1238ccd6
......@@ -127,6 +127,9 @@ function drupal_clear_path_cache() {
/**
* Set an HTTP response header for the current page.
*
* Note: when sending a Content-Type header, always include a 'charset' type
* too. This is necessary to avoid security bugs (e.g. UTF-7 XSS).
*/
function drupal_set_header($header = NULL) {
// We use an array to guarantee there are no leading or trailing delimiters.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment