Hopiu/angular.js
1
0
Fork 0
mirror of https://github.com/Hopiu/angular.js.git synced 2026-03-17 07:40:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix($http): allow multiple json vulnerability prefixes

Browse source 
We strip out both:
)]}',
)]}'
This commit is contained in:
Vojta Jina 2011-10-18 17:03:48 -07:00 committed by Igor Minar
parent fdcc2dbfd3
commit fe633dd0cf
2 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/service/http.js
View file

@ -65,7 +65,8 @@ function $HttpProvider() {
// transform in-coming reponse data
transformResponse: function(data) {
if (isString(data)) {
if (/^\)\]\}',\n/.test(data)) data = data.substr(6);
// strip json vulnerability protection prefix
data = data.replace(/^\)\]\}',?\n/, '');
if (/^\s*[\[\{]/.test(data) && /[\}\]]\s*$/.test(data))
data = fromJson(data, true);
}

10
test/service/httpSpec.js
View file

@ -743,6 +743,16 @@ describe('$http', function() {
expect(callback).toHaveBeenCalledOnce();
expect(callback.mostRecentCall.args[0]).toEqual([1, 'abc', {foo:'bar'}]);
});
it('should deserialize json with security prefix ")]}\'"', function() {
$httpBackend.expect('GET', '/url').respond(')]}\'\n\n[1, "abc", {"foo":"bar"}]');
$http({method: 'GET', url: '/url'}).on('200', callback);
$httpBackend.flush();
expect(callback).toHaveBeenCalledOnce();
expect(callback.mostRecentCall.args[0]).toEqual([1, 'abc', {foo:'bar'}]);
});
});