archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks

Browse Source 
Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606
This commit is contained in:
epriestley
2012-02-14 14:51:51 -08:00
parent 8da4f981fb
commit c8b4bfdcd1
14 changed files with 143 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/conduit/api.php
View File

@@ -85,7 +85,7 @@ $response = id(new ConduitAPIResponse())
->setResult($result)
->setErrorCode($error_code)
->setErrorInfo($error_info);
echo $response->toJSON(), "\n";
echo json_encode($response->toDictionary()), "\n";
// TODO -- how get $connection_id from SSH?
$connection_id = null;