Changeset 6556
- Timestamp:
- 04/24/07 03:31:14 (1 year ago)
- Files:
-
- spinoffs/prototype/trunk/CHANGELOG (modified) (1 diff)
- spinoffs/prototype/trunk/src/ajax.js (modified) (2 diffs)
- spinoffs/prototype/trunk/src/prototype.js (modified) (2 diffs)
- spinoffs/prototype/trunk/src/string.js (modified) (1 diff)
- spinoffs/prototype/trunk/test/unit/string.html (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
spinoffs/prototype/trunk/CHANGELOG
r6555 r6556 1 1 *SVN* 2 3 * Automatically strip security delimiter comments from JSON strings before evaling them. The default delimiter is '/*-secure- ... */' or you can specify your own with the Prototype.JSONFilter regular expression. If you wrap your JSON response bodies in this delimiter on the server side, rogue external sites can't hijack potentially sensitive data via <script> tags. Closes #7910. [Tobie Langel] 4 For more details on potential security problems, see: http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf 2 5 3 6 * Add extra spacing so Array#toJSON and Hash#toJSON generate YAML-loadable JSON. Closes #7883. [Andrew Dupont] spinoffs/prototype/trunk/src/ajax.js
r6059 r6556 213 213 try { 214 214 var json = this.getHeader('X-JSON'); 215 return json ? eval('(' + json + ')') : null;215 return json ? json.evalJSON() : null; 216 216 } catch (e) { return null } 217 217 }, … … 219 219 evalResponse: function() { 220 220 try { 221 return eval( this.transport.responseText);221 return eval((this.transport.responseText || '').unfilterJSON()); 222 222 } catch (e) { 223 223 this.dispatchException(e); spinoffs/prototype/trunk/src/prototype.js
r6501 r6556 10 10 Gecko: navigator.userAgent.indexOf('Gecko') > -1 && navigator.userAgent.indexOf('KHTML') == -1 11 11 }, 12 12 13 BrowserFeatures: { 13 14 XPath: !!document.evaluate, … … 17 18 document.createElement('form').__proto__) 18 19 }, 20 21 ScriptFragment: '<script[^>]*>([\u0001-\uFFFF]*?)</script>', 22 JSONFilter: /^\/\*-secure-\s*(.*)\s*\*\/\s*$/, 19 23 20 ScriptFragment: '<script[^>]*>([\u0001-\uFFFF]*?)</script>', 21 emptyFunction: function() {}, 24 emptyFunction: function() { }, 22 25 K: function(x) { return x } 23 26 } spinoffs/prototype/trunk/src/string.js
r6489 r6556 164 164 }, 165 165 166 unfilterJSON: function(filter) { 167 return this.sub(filter || Prototype.JSONFilter, '#{1}'); 168 }, 169 166 170 evalJSON: function(sanitize) { 171 var json = this.unfilterJSON(); 167 172 try { 168 if (!sanitize || (/^("(\\.|[^"\\\n\r])*?"|[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t])+?$/.test( this)))169 return eval('(' + this+ ')');170 } catch (e) { }171 throw new SyntaxError('Badly form ated JSON string: ' + this.inspect());173 if (!sanitize || (/^("(\\.|[^"\\\n\r])*?"|[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t])+?$/.test(json))) 174 return eval('(' + json + ')'); 175 } catch (e) { } 176 throw new SyntaxError('Badly formed JSON string: ' + this.inspect()); 172 177 }, 173 178 spinoffs/prototype/trunk/test/unit/string.html
r6489 r6556 431 431 assertRaise('SyntaxError', function(){dangerous.evalJSON(true)}); 432 432 assertEqual("Not scared!", attackTarget); 433 }} 433 434 assertEqual('hello world!', ('/*-secure-\n' + valid + '\n*/').evalJSON().test); 435 var temp = Prototype.JSONFilter; 436 Prototype.JSONFilter = /^\/\*(.*)\*\/$/; // test custom delimiters. 437 assertEqual('hello world!', ('/*' + valid + '*/').evalJSON().test); 438 Prototype.JSONFilter = temp; 439 }} 434 440 }, 'testlog'); 435 441 // ]]>
