Escape URLs in text/plain res.redirect response #1425

Merged
merged 1 commit into from Nov 21, 2012

Projects

None yet

2 participants

Contributor

Escape the URL printed by res.redirect using URL encoding. This
prevents some browsers (primarily old versions of IE) from attempting
to sniff the Content-Type and evaluate it as HTML, which causes a
cross-site scripting vulnerability.

@gmethvin gmethvin Escape URLs in text/plain res.redirect response
Escape the URL printed by res.redirect using URL encoding. This
prevents some browsers (primarily old versions of IE) from attempting
to sniff the Content-Type and evaluate it as HTML, which causes a
cross-site scripting vulnerability.
ea5e254
@tj tj merged commit 5cf29a3 into expressjs:master Nov 21, 2012

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment