Arquivos
hhvm/hphp/runtime
Erling Ellingsen 48e0cf8479 Don't send URL in redirect body
If you put a CR in the redirect URL, the response splitting protection refuses to send the Location header, and the body is rendered in the browser; instant xss. It would not surprise me if some browsers ignore the Location header for less obviously broken URLs, so let's just remove the URL entirely.
2013-04-25 00:49:58 -07:00
..
2013-04-25 00:49:58 -07:00
2013-02-11 02:10:41 -08:00
2013-02-11 02:10:41 -08:00
2013-02-11 02:10:41 -08:00