Changeset 6557
- Timestamp:
- 04/24/07 03:34:30 (1 year ago)
- Files:
-
- spinoffs/prototype/trunk/CHANGELOG (modified) (1 diff)
- spinoffs/prototype/trunk/src/ajax.js (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
spinoffs/prototype/trunk/CHANGELOG
r6556 r6557 1 1 *SVN* 2 3 * Don't call evalResponse() when an Ajax response has no Content-type header. Closes #7827. [Tobie Langel] 2 4 3 5 * Automatically strip security delimiter comments from JSON strings before evaling them. The default delimiter is '/*-secure- ... */' or you can specify your own with the Prototype.JSONFilter regular expression. If you wrap your JSON response bodies in this delimiter on the server side, rogue external sites can't hijack potentially sensitive data via <script> tags. Closes #7910. [Tobie Langel] spinoffs/prototype/trunk/src/ajax.js
r6556 r6557 186 186 } 187 187 188 if ((this.getHeader('Content-type') || 'text/javascript').strip(). 188 var contentType = this.getHeader('Content-type'); 189 if (contentType && contentType.strip(). 189 190 match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i)) 190 191 this.evalResponse();
