22 Nov
2005
22 Nov
'05
1:29 p.m.
On Tue 22. 11. 2005 11:58, Garvin Hicking wrote:
and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
Because you could insert any javascript using index.php?HTTP_HOST="><script>some evil code</script>
--
Michal Čihař | http://cihar.com