[Web-SIG] Newline values in WSGI response header values.
pywebsig at xhaus.com
Thu Jun 12 11:06:42 CEST 2008
> Thus, is an embedded newline in value invalid? Would it be reasonable
> for a WSGI adapter to flag it as an error?
>From a security POV, it may be advisable for WSGI servers to *not*
allow newlines in HTTP response headers; newlines in response headers
may be the result of an application's failure to sanitise its inputs.
More information about the Web-SIG