On May 18, 2012, at 3:36 PM, Frank Karlitschek wrote: > Attackers can do evil stuff if you don't filer header entries. > This code was introduced as part of a security fix a few weeks ago. I don't think escaping for html will fix this :) What was it supposed to fix? Evert