Comment 3 for bug 1251336

I'm afraid these patches may not be sufficient; I believe some (most?) browsers perform content introspection to determine if the server-supplied mime type is correct. If an attacker supplies some <html><script> tags in their input, a real browser may happily execute the script contents against the server's explicit demands.

If IE6 is the only browser this busted, I'm fine with this patch, but we should discover which browsers might ignore server-supplied mime types; we may need to manually escape special characters.

Thanks