From fd13781ee159ac86f422513ed4204bba69544779 Mon Sep 17 00:00:00 2001
From: Steven Wittens <steven@10.no-reply.drupal.org>
Date: Tue, 17 Oct 2006 04:45:03 +0000
Subject: [PATCH] - Clarify utf-7 exploit in drupal_set_header()

---
 includes/common.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/includes/common.inc b/includes/common.inc
index e25c6acc552..ebddac8e510 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -128,6 +128,9 @@ function drupal_clear_path_cache() {
 
 /**
  * Set an HTTP response header for the current page.
+ *
+ * Note: when sending a Content-Type header, always include a 'charset' type
+ * too. This is necessary to avoid security bugs (e.g. UTF-7 XSS).
  */
 function drupal_set_header($header = NULL) {
   // We use an array to guarantee there are no leading or trailing delimiters.