-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Otsuka,
otsuka wrote: > The value of "lang" attribute which <html:html> tag generates is > not escaped. I think it could cause XSS problem If Accept-Language > HTTP header's value is replaced with <script> tag. Have you tried doing this? If so, what happens? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFWcWf9CaO5/Lv0PARAo/OAJ9PDSWAwxDcmaq8E9WZmbTIRmFxwACgquv0 FtPtemZYHqdo86MpWwTCQTo= =sU+9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]