added prefix against json vulnerability

schmittjoh · Apr 5, 2013 · 3d73cf6 · 3d73cf6
1 parent 402b5f9
commit 3d73cf6
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/JMS/Serializer/Serializer.php b/src/JMS/Serializer/Serializer.php
@@ -70,7 +70,7 @@ public function __construct(MetadataFactoryInterface $factory, HandlerRegistryIn
         $this->navigator = new GraphNavigator($this->factory, $this->handlerRegistry, $this->objectConstructor, $this->dispatcher);
     }
 
-    public function serialize($data, $format, SerializationContext $context = null)
+    public function serialize($data, $format, SerializationContext $context = null, $prefix = false)
     {
         if ( ! $this->serializationVisitors->containsKey($format)) {
             throw new UnsupportedFormatException(sprintf('The format "%s" is not supported for serialization.', $format));
@@ -90,7 +90,9 @@ public function serialize($data, $format, SerializationContext $context = null)
         $visitor->setNavigator($this->navigator);
         $this->navigator->accept($visitor->prepare($data), null, $context);
 
-        return $visitor->getResult();
+        $jsonPrefix = $prefix && $format == "json" ? ")]},\n" : "";
+
+        return $jsonPrefix.$visitor->getResult();
     }
 
     public function deserialize($data, $type, $format, DeserializationContext $context = null)