From 68634335ae97d5542c9345694fd8da184a931820 Mon Sep 17 00:00:00 2001 From: Nick Reed Date: Fri, 15 Mar 2013 18:09:37 -0500 Subject: [PATCH 1/2] Defend against same origin XSS --- lib/assets/javascripts/turbolinks.js.coffee | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/assets/javascripts/turbolinks.js.coffee b/lib/assets/javascripts/turbolinks.js.coffee index 545170a0..caa851ff 100644 --- a/lib/assets/javascripts/turbolinks.js.coffee +++ b/lib/assets/javascripts/turbolinks.js.coffee @@ -29,9 +29,7 @@ fetchReplacement = (url) -> xhr.setRequestHeader 'X-XHR-Referer', referer xhr.onload = => - doc = createDocument xhr.responseText - - if assetsChanged doc + if invalidContent(xhr) or assetsChanged (doc = createDocument xhr.responseText) document.location.reload() else changePage extractTitleAndBody(doc)... @@ -140,6 +138,9 @@ triggerEvent = (name) -> document.dispatchEvent event +invalidContent = (xhr) -> + !xhr.getResponseHeader('Content-Type').match /text\/html|application\/xhtml\+xml|application\/xml/ + extractTrackAssets = (doc) -> (node.src || node.href) for node in doc.head.childNodes when node.getAttribute?('data-turbolinks-track')? @@ -220,7 +221,8 @@ anchoredLink = (link) -> (link.href is location.href + '#') nonHtmlLink = (link) -> - link.href.match(/\.[a-z]+(\?.*)?$/g) and not link.href.match(/\.html?(\?.*)?$/g) + url = removeHash link + url.match(/\.[a-z]+(\?.*)?$/g) and not url.match(/\.html?(\?.*)?$/g) noTurbolink = (link) -> until ignore or link is document From a21165ea60605998a00deb5ba9c9587d81529056 Mon Sep 17 00:00:00 2001 From: Nick Reed Date: Fri, 15 Mar 2013 20:03:02 -0500 Subject: [PATCH 2/2] Improve content-type matcher --- lib/assets/javascripts/turbolinks.js.coffee | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/assets/javascripts/turbolinks.js.coffee b/lib/assets/javascripts/turbolinks.js.coffee index caa851ff..ade2a508 100644 --- a/lib/assets/javascripts/turbolinks.js.coffee +++ b/lib/assets/javascripts/turbolinks.js.coffee @@ -139,7 +139,7 @@ triggerEvent = (name) -> invalidContent = (xhr) -> - !xhr.getResponseHeader('Content-Type').match /text\/html|application\/xhtml\+xml|application\/xml/ + !xhr.getResponseHeader('Content-Type').match /^(?:text\/html|application\/xhtml\+xml|application\/xml)(?:;|$)/ extractTrackAssets = (doc) -> (node.src || node.href) for node in doc.head.childNodes when node.getAttribute?('data-turbolinks-track')?