Chris Snyder wrote: > The example Chris gave about Google's old 404 page, where it > echoed the requested URI without escaping it first, could > have been exploited by sending the following link to someone.
For clarification, Google's mistake wasn't that they forgot to escape the value. (Sorry if I seemed to be making that assertion.) Rather, they didn't indicate the character encoding in the Content-Type header, and they escaped the value assuming UTF-8. Now they send this: Content-Type: text/html; charset=UTF-8 Chris -- Chris Shiflett http://shiflett.org/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
