mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-01 05:39:10 +02:00
SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.
This commit is contained in:
parent
c1d2cd1293
commit
9bf3ae9a19
@ -72,15 +72,16 @@ class FormResponse {
|
||||
* @return string
|
||||
*/
|
||||
static function respond() {
|
||||
$response = new SS_HTTPResponse();
|
||||
|
||||
// we don't want non-ajax calls to receive javascript
|
||||
if(isset($_REQUEST['forcehtml'])) {
|
||||
return self::$non_ajax_content;
|
||||
$response->setBody(self::$non_ajax_content);
|
||||
} else if(isset($_REQUEST['forceajax']) || Director::is_ajax()) {
|
||||
// TODO figure out a way to stay backwards-compatible with Ajax.Evaluator and still use the automatic evaluating of Prototype
|
||||
//header("Content-type: text/javascript");
|
||||
return self::get_javascript();
|
||||
$response->addHeader('Content-Type', 'text/javascript');
|
||||
$response->setBody(self::get_javascript());
|
||||
} elseif(!empty(self::$non_ajax_content)) {
|
||||
return self::$non_ajax_content;
|
||||
$response->setBody(self::$non_ajax_content);
|
||||
} elseif(!empty(self::$redirect_url)) {
|
||||
Director::redirect(self::$redirect_url);
|
||||
return null;
|
||||
@ -90,7 +91,8 @@ class FormResponse {
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user