From b49937337f1163b033aaf43cfb31e0c3136e6c36 Mon Sep 17 00:00:00 2001
From: Dave MacFarlane <driusan@mcin.ca>
Date: Mon, 16 Aug 2021 10:52:37 -0400
Subject: [PATCH] [Publication] Set Content-Type for ajax responses (#7532)

This sets the Content-Type header for the ajax responses
in the publication module. Because it's not explicitly
set, PHP is defaulting to text/html. This means that, in
the event that a user directly accesses the endpoint, the
browser will interpret the page as HTML, not JSON, and interpret
any data in the object as HTML tags, opening the possibility of
an XSS attack if the an someone is tricked into accessing the
ajax endpoint directly.

The frontend isn't directly vulnerable, because the data is only
interpreted by React.

Setting the Content-Type explicitly to the correct "application/json"
means that browsers should interpret the data correctly even if
accessed directly, rather than interpreting HTML tags.
---
 modules/publication/ajax/getData.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/publication/ajax/getData.php b/modules/publication/ajax/getData.php
index 22ed9a6a7a6..adb118b2d97 100644
--- a/modules/publication/ajax/getData.php
+++ b/modules/publication/ajax/getData.php
@@ -20,6 +20,7 @@
 
     if ($action === 'getData') {
         if (userCanGetData($db, $user)) {
+            header('Content-Type: application/json');
             exit(json_encode(getData($db)));
         } else {
             http_response_code(403);
@@ -31,6 +32,7 @@
     } elseif ($action === 'getProjectData') {
         $id = $_REQUEST['id'];
         if (userCanGetData($db, $user, $id)) {
+            header('Content-Type: application/json');
             exit(json_encode(getProjectData($db, $user, $id)));
         } else {
             http_response_code(403);