I think we need a better strategy for response splitting defense.
>
> Right now, the only advice we give is to use the Request/Response
> wrappers, a defense that is not practical for all shops.
>
> I think we need 2 approaches:
>
> 1) Input Validation function that specifically strips linefeed line
> control characters after cannonicalization
> 2) Header Encoder that renders linefeed control characters innert (the
> best defense is always at the usage boundary)
>
> Thoughts?
Original issue reported on code.google.com by manico.james@gmail.com on 30 Jan 2011 at 6:40
Original issue reported on code.google.com by
manico.james@gmail.comon 30 Jan 2011 at 6:40