codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

JS: Handle default 'content-type' header in Response() objects

Open asgerf opened this issue 1 month ago • 0 comments

When using new Response() to construct HTTP responses, the content-type header defaults to text/plain;charset=utf-8 unless explicitly set to something else.

This means its argument is not an html-injection sink when the header is omitted.

asgerf avatar Nov 26 '25 12:11 asgerf