Header injection via query params

Exploit using
param=x%0d%0ax-escape-injected:y
query param