Arquivos
hhvm/hphp/runtime/base
Erling Ellingsen 48e0cf8479 Don't send URL in redirect body
If you put a CR in the redirect URL, the response splitting protection refuses to send the Location header, and the body is rendered in the browser; instant xss. It would not surprise me if some browsers ignore the Location header for less obviously broken URLs, so let's just remove the URL entirely.
2013-04-25 00:49:58 -07:00
..
2013-04-23 09:52:58 -07:00
2013-04-25 00:49:58 -07:00
2013-04-23 12:57:40 -07:00
2013-02-19 06:57:54 -08:00
2013-03-09 12:49:37 -08:00
2013-02-11 02:10:41 -08:00
2013-03-09 12:49:37 -08:00
2013-02-11 02:10:41 -08:00
2013-02-11 02:10:41 -08:00
2013-04-12 12:04:04 -07:00
2013-04-22 14:43:50 -07:00
2013-02-19 06:57:54 -08:00
2013-02-11 02:10:41 -08:00
2013-03-09 12:49:37 -08:00
2013-04-23 12:59:00 -07:00
2013-04-23 12:59:00 -07:00
2013-02-11 02:10:41 -08:00
2013-04-23 09:52:58 -07:00
2013-04-18 13:55:38 -07:00
2013-04-23 09:52:58 -07:00
2013-04-23 12:59:00 -07:00
2013-04-04 12:20:04 -07:00