Encode HTML tags in JSON
While not encoding the HTML tags in the JSON response is perfectly fine since we set the proper mimetype as well as disable content sniffing a lot of automated code scanner do report this as security bug. Encoding them leads to less discussions and a lot of saved time.
This commit is contained in:
parent
e2cc778947
commit
f9e90e92d4
3 changed files with 22 additions and 8 deletions
|
@ -167,6 +167,6 @@ class OC_JSON{
|
|||
if (is_array($data)) {
|
||||
array_walk_recursive($data, array('OC_JSON', 'to_string'));
|
||||
}
|
||||
return json_encode($data);
|
||||
return json_encode($data, JSON_HEX_TAG);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -64,7 +64,7 @@ class JSONResponse extends Response {
|
|||
* @throws \Exception If data could not get encoded
|
||||
*/
|
||||
public function render() {
|
||||
$response = json_encode($this->data);
|
||||
$response = json_encode($this->data, JSON_HEX_TAG);
|
||||
if($response === false) {
|
||||
throw new \Exception(sprintf('Could not json_encode due to invalid ' .
|
||||
'non UTF-8 characters in the array: %s', var_export($this->data, true)));
|
||||
|
|
|
@ -66,13 +66,27 @@ class JSONResponseTest extends \Test\TestCase {
|
|||
$this->assertEquals($expected, $this->json->render());
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array
|
||||
*/
|
||||
public function testRenderProvider() {
|
||||
return [
|
||||
[
|
||||
['test' => 'hi'], '{"test":"hi"}',
|
||||
],
|
||||
[
|
||||
['<h1>test' => '<h1>hi'], '{"\u003Ch1\u003Etest":"\u003Ch1\u003Ehi"}',
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
public function testRender() {
|
||||
$params = array('test' => 'hi');
|
||||
$this->json->setData($params);
|
||||
|
||||
$expected = '{"test":"hi"}';
|
||||
|
||||
/**
|
||||
* @dataProvider testRenderProvider
|
||||
* @param array $input
|
||||
* @param string $expected
|
||||
*/
|
||||
public function testRender(array $input, $expected) {
|
||||
$this->json->setData($input);
|
||||
$this->assertEquals($expected, $this->json->render());
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue