2009/8/15 Daniel Friesen <lists(a)nadir-seen-fire.com>om>:
Add a &ctype= param?
That would require sanitization anyway. I haven't forgotten why
&format=txt and &format=dbg use text/text instead of text/plain : if
the MIME type is text/plain and IE thinks it looks like HTML, it'll
parse it as HTML, triggering some nice HTML and JavaScript injection
vulnerabilities.
Roan Kattouw (Catrope)