Stut:
> > That's already there. They set the content-type. The problem becomes
> > when they set it vs. when output goes out. It's also very common to
> > turn on output buffering and buffer a bunch of stuff and then set the
> > content-type just before flushing the buffer.
>
> Maybe it's enough for the tainting to switch context when a new content
> type is set. I'm trying to think of a situation where you might not be
> able to determine the requested output format because the tainting gets
> in the way, but I can't come up with anything. However, it would likely
> break a number of existing scripts which is not ideal.
This would not break any scripts. Taint support must not be turned
on unless the application was written to support it.
Wietse
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
