It generally might not occure but in some conditions the previous code
could be used to inject something into response by manipulating the
origin header to include some \n or \r.
These sequences should not occure in results CORS headers.

Patch replaces all \n or \r in origin header with a white space char.
Newer servlet containers like Tomcat 7.x fix this problem, but it might
be a good idea to fix this issue within ARSnova.

See: https://www.owasp.org/index.php/HTTP_Response_Splitting