Permalink
Browse files

Change default JSON prefix from "{} && " to ")]}', "

Issue: SPR-13078
  • Loading branch information...
sdeleuze committed Jun 16, 2015
1 parent a08c9f3 commit 818783350278f363d0b5246e36ade298a84d33f8
@@ -101,17 +101,16 @@ public void setJsonPrefix(String jsonPrefix) {
}
/**
* Indicate whether the JSON output by this view should be prefixed with "{} &&".
* Indicate whether the JSON output by this view should be prefixed with ")]}', ".
* Default is {@code false}.
* <p>Prefixing the JSON string in this manner is used to help prevent JSON
* Hijacking. The prefix renders the string syntactically invalid as a script
* so that it cannot be hijacked. This prefix does not affect the evaluation
* of JSON, but if JSON validation is performed on the string, the prefix
* would need to be ignored.
* so that it cannot be hijacked.
* This prefix should be stripped before parsing the string as JSON.
* @see #setJsonPrefix
*/
public void setPrefixJson(boolean prefixJson) {
this.jsonPrefix = (prefixJson ? "{} && " : null);
this.jsonPrefix = (prefixJson ? ")]}', " : null);
}
@@ -76,15 +76,14 @@ public void setJsonPrefix(String jsonPrefix) {
}
/**
* Indicate whether the JSON output by this view should be prefixed with "{} &&". Default is false.
* Indicate whether the JSON output by this view should be prefixed with ")]}', ". Default is false.
* <p>Prefixing the JSON string in this manner is used to help prevent JSON Hijacking.
* The prefix renders the string syntactically invalid as a script so that it cannot be hijacked.
* This prefix does not affect the evaluation of JSON, but if JSON validation is performed on the
* string, the prefix would need to be ignored.
* This prefix should be stripped before parsing the string as JSON.
* @see #setJsonPrefix
*/
public void setPrefixJson(boolean prefixJson) {
this.jsonPrefix = (prefixJson ? "{} && " : null);
this.jsonPrefix = (prefixJson ? ")]}', " : null);
}
@@ -210,15 +210,15 @@ public void prefixJson() throws Exception {
MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
this.converter.setPrefixJson(true);
this.converter.writeInternal("foo", outputMessage);
assertEquals("{} && \"foo\"", outputMessage.getBodyAsString(UTF8));
assertEquals(")]}', \"foo\"", outputMessage.getBodyAsString(UTF8));
}
@Test
public void prefixJsonCustom() throws Exception {
MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
this.converter.setJsonPrefix(")]}',");
this.converter.setJsonPrefix(")))");
this.converter.writeInternal("foo", outputMessage);
assertEquals(")]}',\"foo\"", outputMessage.getBodyAsString(UTF8));
assertEquals(")))\"foo\"", outputMessage.getBodyAsString(UTF8));
}
@@ -233,16 +233,16 @@ public void prefixJson() throws Exception {
this.converter.setPrefixJson(true);
this.converter.writeInternal("foo", outputMessage);
assertEquals("{} && \"foo\"", outputMessage.getBodyAsString(Charset.forName("UTF-8")));
assertEquals(")]}', \"foo\"", outputMessage.getBodyAsString(Charset.forName("UTF-8")));
}
@Test
public void prefixJsonCustom() throws Exception {
MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
this.converter.setJsonPrefix(")]}',");
this.converter.setJsonPrefix(")))");
this.converter.writeInternal("foo", outputMessage);
assertEquals(")]}',\"foo\"", outputMessage.getBodyAsString(Charset.forName("UTF-8")));
assertEquals(")))\"foo\"", outputMessage.getBodyAsString(Charset.forName("UTF-8")));
}
@Test
@@ -99,16 +99,15 @@ public void setJsonPrefix(String jsonPrefix) {
}
/**
* Indicates whether the JSON output by this view should be prefixed with <tt>"{} && "</tt>.
* Indicates whether the JSON output by this view should be prefixed with <tt>")]}', "</tt>.
* Default is {@code false}.
* <p>Prefixing the JSON string in this manner is used to help prevent JSON Hijacking.
* The prefix renders the string syntactically invalid as a script so that it cannot be hijacked.
* This prefix does not affect the evaluation of JSON, but if JSON validation is performed
* on the string, the prefix would need to be ignored.
* This prefix should be stripped before parsing the string as JSON.
* @see #setJsonPrefix
*/
public void setPrefixJson(boolean prefixJson) {
this.jsonPrefix = (prefixJson ? "{} && " : null);
this.jsonPrefix = (prefixJson ? ")]}', " : null);
}
/**
@@ -48,6 +48,7 @@
import org.mozilla.javascript.ContextFactory;
import org.mozilla.javascript.ScriptableObject;
import org.springframework.beans.DirectFieldAccessor;
import org.springframework.http.MediaType;
import org.springframework.mock.web.test.MockHttpServletRequest;
import org.springframework.mock.web.test.MockHttpServletResponse;
@@ -180,14 +181,14 @@ public void renderWithPrettyPrint() throws Exception {
public void renderSimpleBeanPrefixed() throws Exception {
view.setPrefixJson(true);
renderSimpleBean();
assertTrue(response.getContentAsString().startsWith("{} && "));
assertTrue(response.getContentAsString().startsWith(")]}', "));
}
@Test
public void renderSimpleBeanNotPrefixed() throws Exception {
view.setPrefixJson(false);
renderSimpleBean();
assertFalse(response.getContentAsString().startsWith("{} && "));
assertFalse(response.getContentAsString().startsWith(")]}', "));
}
@Test
@@ -363,8 +364,14 @@ public void renderWithCustomJsonpParameterName() throws Exception {
}
private void validateResult() throws Exception {
String json = response.getContentAsString();
DirectFieldAccessor viewAccessor = new DirectFieldAccessor(view);
String jsonPrefix = (String)viewAccessor.getPropertyValue("jsonPrefix");
if (jsonPrefix != null) {
json = json.substring(5);
}
Object jsResult =
jsContext.evaluateString(jsScope, "(" + response.getContentAsString() + ")", "JSON Stream", 1, null);
jsContext.evaluateString(jsScope, "(" + json + ")", "JSON Stream", 1, null);
assertNotNull("Json Result did not eval as valid JavaScript", jsResult);
assertEquals("application/json", response.getContentType());
}

0 comments on commit 8187833

Please sign in to comment.