-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't inject application/json as javascript #400
Conversation
@@ -582,8 +582,11 @@ spf.nav.response.extract_ = function(frag) { | |||
var url = attr.match(spf.nav.response.AttributeRegEx.SRC); | |||
url = url ? url[1] : ''; | |||
var async = spf.nav.response.AttributeRegEx.ASYNC.test(attr); | |||
result['scripts'].push( | |||
{url: url, text: text, name: name, async: async}); | |||
var json = spf.nav.response.AttributeRegEx.JSON.test(attr); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is important, but I have a couple of issues.
- As is, this'll drop the script entirely. It's probably a fine first step, as it's pretty close to the current behavior, but we probably need to allow these to be available in some capacity, either in the DOM or in some other structure. Since you presumably have a use case, thoughts?
- This is probably better off as a Whitelist of valid types instead of a blacklist. How about only allowing scripts with empty types or type='text/javascript'?
- Please add tests.
|
I understand the point 1) now. |
{url: url, text: text, name: name, async: async}); | ||
return ''; | ||
var type = spf.nav.response.AttributeRegEx.TYPE.exec(attr); | ||
var inject = !type || type[1].indexOf('/javascript') > 0 || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use the spf.string.contains
function so the compiler can re-use the function call:
var inject = !type || spf.string.contains(type[1], '/javascript') ||
spf.string.contains(type[1], '/x-javascript') ||
spf.string.contains(type[1], '/ecmascript');
Thanks for the PR! This is looking good; I've just added a couple minor comments, but after those are fixed, I'll merge this in. |
I've just made last cleanup & squash commits |
Hi there! Unfortunately it looks the constant definition was lost in the last update:
|
oups, sorry. It's ok now. |
Great, the last thing I'll need is for you to update onto the latest changes from master so I can merge this! |
Great news, it's merged |
Would you mind squashing your commits? |
I think it's done, I'm not confortable with git rebase ... |
Looks perfect, thanks! |
We can have script tag with json data
These tag is not evaluated by browers as javascript if
type="application/json"
is present.This PR prevent spf to inject these tags as javascript