From 248a9c41588fe9a5566d763f61a555c15c3bf3d0 Mon Sep 17 00:00:00 2001
From: Arnoldas Grigutis <a.grigutis@paysera.lt>
Date: Wed, 15 Jul 2015 14:26:53 +0300
Subject: [PATCH] Protection against rosetta flash attacks

---
 Controller/Controller.php           | 2 +-
 Tests/Controller/ControllerTest.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Controller/Controller.php b/Controller/Controller.php
index c4ad6953..aea785f0 100644
--- a/Controller/Controller.php
+++ b/Controller/Controller.php
@@ -108,7 +108,7 @@ public function indexAction(Request $request, $_format)
                 throw new HttpException(400, 'Invalid JSONP callback value');
             }
 
-            $content = $callback.'('.$content.');';
+            $content = '/**/' . $callback . '(' . $content . ');';
         }
 
         $response = new Response($content, 200, array('Content-Type' => $request->getMimeType($_format)));
diff --git a/Tests/Controller/ControllerTest.php b/Tests/Controller/ControllerTest.php
index c0c46066..98af6438 100644
--- a/Tests/Controller/ControllerTest.php
+++ b/Tests/Controller/ControllerTest.php
@@ -94,7 +94,7 @@ public function testGenerateWithCallback($callback)
         $response   = $controller->indexAction($this->getRequest('/', 'GET', array('callback' => $callback)), 'json');
 
         $this->assertEquals(
-            sprintf('%s({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $callback),
+            sprintf('/**/%s({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $callback),
             $response->getContent()
         );
     }