mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
6 lines
259 B
PHP
6 lines
259 B
PHP
<?php
|
|
// Unsafe: $_GET['lang'] concatenated into a `header()` line. The bare
|
|
// `header` matcher (exact-match sigil) fires on the call. Tainted input
|
|
// without `\r\n` stripping permits response splitting.
|
|
$lang = $_GET['lang'];
|
|
header("X-Lang: " . $lang);
|