Please sign in to comment.
Escape URLs in text/plain res.redirect response
Escape the URL printed by res.redirect using URL encoding. This prevents some browsers (primarily old versions of IE) from attempting to sniff the Content-Type and evaluate it as HTML, which causes a cross-site scripting vulnerability.
- Loading branch information...
Showing with 18 additions and 1 deletion.