NYCPHP Meetup

[Chris Shiflett]

Chris Snyder wrote:
> The example Chris gave about Google's old 404 page, where it
> echoed the requested URI without escaping it first, could
> have been exploited by sending the following link to someone.

For clarification, Google's mistake wasn't that they forgot to escape
the value. (Sorry if I seemed to be making that assertion.)

Rather, they didn't indicate the character encoding in the Content-Type
header, and they escaped the value assuming UTF-8.

Now they send this:

Content-Type: text/html; charset=UTF-8

Chris

-- 
Chris Shiflett
http://shiflett.org/