Cross site scripting issue

[jelmerk]

If the server returns a header like this

Link: <h1>test</h1>

the html is not escaped.

It is both a security risk and annoying from a functionality standpoint because link headers take the following form :

Link:<http://some.api//v1/images/5217>; rel="canonical"

And these will now not show up in the response headers section