SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.

2024-10-01 05:39:10 +02:00 · 2012-05-03 11:54:54 +12:00 · 2012-05-03 11:54:54 +12:00 · 9bf3ae9a19
commit 9bf3ae9a19
parent c1d2cd1293
1 changed files with 8 additions and 6 deletions
--- a/core/control/FormResponse.php
+++ b/core/control/FormResponse.php
@ -72,15 +72,16 @@ class FormResponse {
 	 * @return string
 	 */
 	static function respond() {
+		$response = new SS_HTTPResponse();
+
 		// we don't want non-ajax calls to receive javascript
 		if(isset($_REQUEST['forcehtml'])) {
-			return self::$non_ajax_content;			
+			$response->setBody(self::$non_ajax_content);			
 		} else if(isset($_REQUEST['forceajax']) || Director::is_ajax()) {
-			// TODO figure out a way to stay backwards-compatible with Ajax.Evaluator and still use the automatic evaluating of Prototype
-			//header("Content-type: text/javascript");
-			return self::get_javascript();
+			$response->addHeader('Content-Type', 'text/javascript');
+			$response->setBody(self::get_javascript());
 		} elseif(!empty(self::$non_ajax_content)) {
-			return self::$non_ajax_content;			
+			$response->setBody(self::$non_ajax_content);			
 		} elseif(!empty(self::$redirect_url)) {
 			Director::redirect(self::$redirect_url);
 			return null;
@ -90,7 +91,8 @@ class FormResponse {
 		} else {
 			return null;
 		}
-		
+
+		return $response;
 	}
 	
 	/**