diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2006-10-17 04:45:29 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2006-10-17 04:45:29 +0000 |
| commit | 6baece1e1bb22717a769e9a3e15b166432633239 (patch) | |
| tree | 1bed38171ba5e03cf5e9f87d4efcf7c22650de73 | |
| parent | 1238ccd6d05a7fd112c726e097998d68e8da12d7 (diff) | |
| download | brdo-6baece1e1bb22717a769e9a3e15b166432633239.tar.gz brdo-6baece1e1bb22717a769e9a3e15b166432633239.tar.bz2 | |
- Clarify utf-7 exploit in drupal_set_header()
| -rw-r--r-- | includes/common.inc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/includes/common.inc b/includes/common.inc index 4b47f92cb..b003314fa 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -127,6 +127,9 @@ function drupal_clear_path_cache() { /** * Set an HTTP response header for the current page. + * + * Note: when sending a Content-Type header, always include a 'charset' type + * too. This is necessary to avoid security bugs (e.g. UTF-7 XSS). */ function drupal_set_header($header = NULL) { // We use an array to guarantee there are no leading or trailing delimiters. |