Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JSON loading should follow OWASP reccomendation #257

Closed
ldusan84 opened this issue Mar 16, 2013 · 7 comments
Closed

JSON loading should follow OWASP reccomendation #257

ldusan84 opened this issue Mar 16, 2013 · 7 comments
Assignees

Comments

@ldusan84
Copy link
Contributor

ldusan84 commented Mar 16, 2013

I think that JSON loading should follow OWASP reccomendation on that:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse

@verklov verklov self-assigned this Apr 18, 2014
@verklov
Copy link
Contributor

verklov commented Apr 18, 2014

@ldusan84, thank you for the issue and sorry for the delay! There is a ticket in the backlog. We will notify you once the team resolves this issue.

magento-team added a commit that referenced this issue Jul 4, 2014
* Service layer updates:
  * Implemented API for the CatalogInventory module
  * Refactored the external usages of the CatalogInventory module to service
* Fixed bugs:
  * Fixed an issue where a coupon usage option was not comprehensible enough
  * Fixed an issue where products selection for adding to a bundle option was lost when switching between pages with product grids
  * Fixed an issue where  Google Content was not sending the correct 'description' attribute
  * Fixed an issue where custom attributes were not displayed in layered navigation after a product import
  * Fixed an issue where the Category URL keys did not work correctly after saving
  * Fixed an issue where an admin could not create a Target rule with a certain Products to Display condition
  * Fixed a jQuery error on a product page in the Admin panel, which appeared when switching between product tabs
* Framework Improvements:
  * Created ProductsCustomOptions Service API for Catalog module
  * Created DownloadableLink Service API for Catalog module
* GitHub requests:
  * [#257] JSON loading should follow OWASP recommendation
@verklov
Copy link
Contributor

verklov commented Jul 21, 2014

@ldusan84, we have fixed the issue that you reported and released the fix in dev85. Thank you again for contributing to Magento quality! We are closing this issue.

@verklov verklov closed this as completed Jul 21, 2014
@verklov
Copy link
Contributor

verklov commented Jul 28, 2014

@ldusan84, I saw your tweet that you did not find the code we released in dev85 in scope of this issue. I investigated to find out if there was a mistake and the code was not included, but nope, the developer confirmed his code changes are there.

He made an assumption that his implementation was different from what you might have expected. Here is what he suggested:

Look for Magento\Framework\App\Response\Http::representJson($content) method.
You can find its numerous usages in places that did require appropriate Content-Type header.

Please let us know if this explains everything or you would still like to get more information. If yes, please note what exactly leaves you puzzled here and I will try to connect you and the developer to make sure you receive all the answers.

@ldusan84
Copy link
Contributor Author

ldusan84 commented Jul 28, 2014

Hi @verklov

Thanks for your effort on this issue.

My concern was mainly regarding that the mime type on script tags that output json should be "application/json" and not "text/javascript". I realize it's a minor issue and that this vulnerability is not likely to be exploited, but I think it's a good practice to follow OWASP standards.

Let me know what you think.

Thanks
Dusan

@verklov
Copy link
Contributor

verklov commented Jul 28, 2014

Hi @ldusan84, I will let the developer know of your concerns tomorrow. If this requires some changes in the code to correspond to the OWASP standards, we will definitely initiate this change.

Let me get back to you once I have the decision made.

Best regards,
Sergey

@verklov
Copy link
Contributor

verklov commented Jul 30, 2014

@ldusan84, I got a response from the developer to your latest comment in this thread:

Magento uses tags with type set to text/javascript for regular javascript code. Content type application/json has to be used when script tag contains only JSON. If you have found any such tags in Magento code, please let us know and we will fix it. Magento uses pure JSON mainly in AJAX requests, and as we mentioned in the initial post we have already fixed those cases (Magento now sets correct content type for JSON responses).

Once again, thank you for your input.

@ldusan84
Copy link
Contributor Author

ldusan84 commented Jul 30, 2014

Hi @verklov

Thanks for the response. In the meantime I have investigated this a bit and it seems that mime type on script tag is not really that important, so I think that's good the way it is.

I really like the way this issue has been resolved, thanks again.

Regards
Dusan

vpelipenko added a commit that referenced this issue Apr 30, 2015
[GoInc] MAGETWO-33527 M2 GitHub Update (version 0.74.0-beta6)
magento-team pushed a commit that referenced this issue Dec 23, 2015
mmansoor-magento pushed a commit that referenced this issue Aug 18, 2016
Stories:
* MAGETWO-24139: Resolve TODO's related to Customer Service or create stories to resolve them
* MAGETWO-56007: Initialize default values in customer custom attributes metadata
* MAGETWO-56008: Moving getStoreByWebsite to Store Module
andrewbess pushed a commit to andrewbess/magento2ce that referenced this issue Jun 1, 2020
magento-engcom-team added a commit that referenced this issue Jul 16, 2020
 - Merge Pull Request #28210 from mmezhensky/magento2:257-single-mutation-option-id-v2
 - Merged commits:
   1. 3140823
   2. f4e2665
   3. 54625d9
   4. f990c5d
   5. e2daca8
   6. a095757
magento-engcom-team added a commit that referenced this issue Jul 16, 2020
Accepted Community Pull Requests:
 - #28210: #257: create new id_v2 option (by @mmezhensky)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants