Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[Publication] Set Content-Type for ajax responses (#7532)
This sets the Content-Type header for the ajax responses
in the publication module. Because it's not explicitly
set, PHP is defaulting to text/html. This means that, in
the event that a user directly accesses the endpoint, the
browser will interpret the page as HTML, not JSON, and interpret
any data in the object as HTML tags, opening the possibility of
an XSS attack if the an someone is tricked into accessing the
ajax endpoint directly.

The frontend isn't directly vulnerable, because the data is only
interpreted by React.

Setting the Content-Type explicitly to the correct "application/json"
means that browsers should interpret the data correctly even if
accessed directly, rather than interpreting HTML tags.
  • Loading branch information
driusan committed Aug 16, 2021
1 parent f4d97cd commit b499373
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions modules/publication/ajax/getData.php
Expand Up @@ -20,6 +20,7 @@

if ($action === 'getData') {
if (userCanGetData($db, $user)) {
header('Content-Type: application/json');
exit(json_encode(getData($db)));
} else {
http_response_code(403);
Expand All @@ -31,6 +32,7 @@
} elseif ($action === 'getProjectData') {
$id = $_REQUEST['id'];
if (userCanGetData($db, $user, $id)) {
header('Content-Type: application/json');
exit(json_encode(getProjectData($db, $user, $id)));
} else {
http_response_code(403);
Expand Down

0 comments on commit b499373

Please sign in to comment.