Thiago Zaninotti reported to security@apache.org on 20060410 a possible

cross-site scripting flaw because the Expect header error message isn't
escaped.  We couldn't find a way that this could be used by an attacker
however, as they can't influence the Expect header a victim will send to a
target site.  Thiago agreed and we're therefore not treating this as a
security flaw, but it is a bug that ought to get fixed.  I'll add to 
STATUS for 1.3/2.0/2.2 shortly for acks.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@394965 13f79535-47bb-0310-9956-ffa450edef68