Hi, This is very low risk because any browser that doesn't obey the HTTP 301 code is likely ancient and vulnerable.
One place this matters is automated scanning tools. I have a system that is being audited for PCI compliance by a tool from qualys which is basically a glorified port scanner. It passes in a <script></script> nonsense on the URL and sure enough pound repeats this in the document fallback if the HTTP 301 redirect is not obeyed. It is a bad idea, the URL should be scrubbed (hard), or simply repeated without an <a href=...> and let the user figure it out? Regards, Kevin -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
