Permalink
Browse files

SECURITY: Ensure javascript content type is sent in form responses. I…

…f content type is html, and the javascript contains script tags within the content, this content will be executed.
  • Loading branch information...
andrewandante authored and chillu committed May 2, 2012
1 parent c1d2cd1 commit 9bf3ae9a190effefc6322e79c702c700262de84a
Showing with 8 additions and 6 deletions.
  1. +8 −6 core/control/FormResponse.php
@@ -72,15 +72,16 @@ class FormResponse {
* @return string
*/
static function respond() {
+ $response = new SS_HTTPResponse();
+
// we don't want non-ajax calls to receive javascript
if(isset($_REQUEST['forcehtml'])) {
- return self::$non_ajax_content;
+ $response->setBody(self::$non_ajax_content);
} else if(isset($_REQUEST['forceajax']) || Director::is_ajax()) {
- // TODO figure out a way to stay backwards-compatible with Ajax.Evaluator and still use the automatic evaluating of Prototype
- //header("Content-type: text/javascript");
- return self::get_javascript();
+ $response->addHeader('Content-Type', 'text/javascript');
+ $response->setBody(self::get_javascript());
} elseif(!empty(self::$non_ajax_content)) {
- return self::$non_ajax_content;
+ $response->setBody(self::$non_ajax_content);
} elseif(!empty(self::$redirect_url)) {
Director::redirect(self::$redirect_url);
return null;
@@ -90,7 +91,8 @@ static function respond() {
} else {
return null;
}
-
+
+ return $response;
}
/**

2 comments on commit 9bf3ae9

Contributor

UndefinedOffset replied Nov 8, 2012

Commit appears to cause issue http://open.silverstripe.org/ticket/7871

Owner

chillu replied Nov 8, 2012

@ajoneil Could you have a look please? That's for 2.4

Please sign in to comment.