- Clarify utf-7 exploit in drupal_set_header()

6baece1e · Steven Wittens · 1238ccd6 · 6baece1e
Commit 6baece1e authored Oct 17, 2006 by Steven Wittens
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

includes/common.inc includes/common.inc +3 -0

No files found.
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -127,6 +127,9 @@ function drupal_clear_path_cache() {

 /**
 * Set an HTTP response header for the current page.
+ *
+ * Note: when sending a Content-Type header, always include a 'charset' type
+ * too. This is necessary to avoid security bugs (e.g. UTF-7 XSS).
 */
 function drupal_set_header($header = NULL) {
  // We use an array to guarantee there are no leading or trailing delimiters.