22 Nov
2005
22 Nov
'05
7:29 a.m.
On Tue 22. 11. 2005 11:58, Garvin Hicking wrote:
and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
Because you could insert any javascript using index.php?HTTP_HOST="><script>some evil code</script> -- Michal Čihař | http://cihar.com