Checkout
wrowe
committed
on 02 Oct 02
*) SECURITY: [CAN-2002-0840] HTML-escape the address produced by
ap_server_signature() against this cross-site scripting
vulnera… Show more
 *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by

    ap_server_signature() against this cross-site scripting

    vulnerability exposed by the directive 'UseCanonicalName Off'.

    Also HTML-escape the SERVER_NAME environment variable for CGI

    and SSI requests.  It's safe to escape as only the '<', '>',

    and '&' characters are affected, which won't appear in a valid

    hostname.  Reported by Matthew Murphy <mattmurphy@kc.rr.com>.

    [Brian Pane]

Show less