2009/8/15 Daniel Friesen lists@nadir-seen-fire.com:
Add a &ctype= param?
That would require sanitization anyway. I haven't forgotten why &format=txt and &format=dbg use text/text instead of text/plain : if the MIME type is text/plain and IE thinks it looks like HTML, it'll parse it as HTML, triggering some nice HTML and JavaScript injection vulnerabilities.
Roan Kattouw (Catrope)