Hi!
But then such a file should not be included in the release, or at least renamed to "test.php.txt" so that it can only be executed after being renamed?
why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make it too hard for theme developers - probably they are not techies
.sh scripts cannot be executed through HTTP. .php Scripts can.
Why did Michal then fix this a day ago?
i don't know, i mean it is not wrong to escape this value, but it is not really necessary, you can not reach the host you want if you add XSS code to the host in the http header ... IMHO!
That depends on the Apache setup. If you use HTTP 1.0 you can specify the Host: Header with any content you like. Plus you might be able to pass $HTTP_HOST as a register_global variable.
Regards, Garvin