Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Publication] Set Content-Type for ajax responses #7532

Merged
merged 1 commit into from Aug 16, 2021
Merged

[Publication] Set Content-Type for ajax responses #7532

merged 1 commit into from Aug 16, 2021

Conversation

driusan
Copy link
Collaborator

@driusan driusan commented Aug 16, 2021

This sets the Content-Type header for the ajax responses
in the publication module. Because it's not explicitly
set, PHP is defaulting to text/html. This means that, in
the event that a user directly accesses the endpoint, the
browser will interpret the page as HTML, not JSON, and interpret
any HTML data in the object as HTML tags, opening the possibility of
an XSS attack if the an someone is tricked into accessing the
ajax endpoint directly.

The frontend isn't directly vulnerable, because the data is only
interpreted by React.

Setting the Content-Type explicitly to the correct "application/json"
means that browsers should interpret the data correctly even if
accessed directly, rather than interpretting HTML tags.

Thanks to @0xSmiley for reporting this.

@driusan
[Publication] Set Content-Type for ajax responses
36a214b 
This sets the Content-Type header for the ajax responses
in the publication module. Because it's not explicitly
set, PHP is defaulting to text/html. This means that, in
the event that a user directly accesses the endpoint, the
browser will interpret the page as HTML, not JSON, and interpret
any data in the object as HTML tags, opening the possibility of
an XSS attack if the an someone is tricked into accessing the
ajax endpoint directly.

The frontend isn't directly vulnerable, because the data is only
interpreted by React.

Setting the Content-Type explicitly to the correct "application/json"
means that browsers should interpret the data correctly even if
accessed directly, rather than interpretting HTML tags.

Thanks to @0xSmiley for reporting this.
@driusan driusan added Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label) Security PR patches a vulnerability, makes resource access changes, or updates dependencies labels Aug 16, 2021
@driusan driusan merged commit b499373 into aces:23.0-release Aug 16, 2021
@driusan driusan added this to the 23.0.5 milestone Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ridz1208 ridz1208 ridz1208 approved these changes

Assignees
No one assigned
Labels
Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label) Security PR patches a vulnerability, makes resource access changes, or updates dependencies
Projects
None yet
Milestone
23.0.5
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@driusan @ridz1208