--On Tuesday, November 5, 2002 1:38 PM +0000 Francis Daly
<[EMAIL PROTECTED]> wrote:
I don't believe there's a danger of any client-side data appearing
there, but even so it may be worth wrapping the output of
ap_server_version() with ap_escape_html() -- although if a webmaster
chooses to load mod_<blink>, perhaps they shouldn't be helped. If
it is wanted, the change is obvious.
Yeah, I'm not too concerned about a CSS attack here because this is
exactly the same data as emitted by the Server header (which
shouldn't contain HTML and doesn't have any user-specific data).
Two patches below: one is for httpd-2.0/server/core.c, which just
adds (unescaped) ap_get_server_version() to ap_psignature. Against
the current CVS version; not compiled, not tested, but it looks
right to me.
Looks fine. Committed. Thanks! -- justin
