Ajax responses to prevent content-sniffing attacks
c8b4bfdcd1cc
Actions

Description

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks

Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606

Details

Provenance

epriestley	Authored on Feb 14 2012, 2:51 PM
themackabu	Pushed on Tue, Mar 25, 8:07 PM

Parents

rP8da4f981fb12: Always display Branch in revision

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (15)

Path

Size

scripts/

conduit/

api.php

src/

__phutil_library_map__.php

aphront/

response/

ajax/

AphrontAjaxResponse.php

base/

AphrontResponse.php

json

	json/
	webpage/

	AphrontJSONResponse.php
	AphrontWebpageResponse.php

	json/
	304/

__init__.php

sink/

base/

AphrontHTTPSink.php

__tests__/

AphrontHTTPSinkTestCase.php

__init__.php

applications/

conduit/

controller/

api/

PhabricatorConduitAPIController.php

__init__.php

protocol/

response/

ConduitAPIResponse.php

infrastructure/

celerity/

response/

CelerityStaticResourceResponse.php

webroot/

index.php

rPc8b4bfdcd1cc

View Options

scripts/conduit/api.php

View Options

src/__phutil_library_map__.php

View Options

src/aphront/response/ajax/AphrontAjaxResponse.php

View Options

src/aphront/response/base/AphrontResponse.php

View Options

src/aphront/response/json/AphrontJSONResponse.php

View Options

src/aphront/response/json/init.php

View Options

src/aphront/sink/base/AphrontHTTPSink.php

View Options

src/aphront/sink/base/tests/AphrontHTTPSinkTestCase.php

View Options

src/aphront/sink/base/tests/init.php

View Options

src/applications/conduit/controller/api/PhabricatorConduitAPIController.php

View Options

src/applications/conduit/controller/api/init.php

View Options

src/applications/conduit/protocol/response/ConduitAPIResponse.php

View Options

src/infrastructure/celerity/response/CelerityStaticResourceResponse.php

View Options

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacksc8b4bfdcd1ccActions

Description

Details

Event Timeline

Changes (15)

rPc8b4bfdcd1cc

scripts/conduit/api.php

src/__phutil_library_map__.php

src/aphront/response/ajax/AphrontAjaxResponse.php

src/aphront/response/base/AphrontResponse.php

src/aphront/response/json/AphrontJSONResponse.php

src/aphront/response/json/__init__.php

src/aphront/sink/base/AphrontHTTPSink.php

src/aphront/sink/base/__tests__/AphrontHTTPSinkTestCase.php

src/aphront/sink/base/__tests__/__init__.php

src/applications/conduit/controller/api/PhabricatorConduitAPIController.php

src/applications/conduit/controller/api/__init__.php

src/applications/conduit/protocol/response/ConduitAPIResponse.php

src/infrastructure/celerity/response/CelerityStaticResourceResponse.php

webroot/index.php

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks
c8b4bfdcd1cc
Actions

src/aphront/response/json/init.php

src/aphront/sink/base/tests/AphrontHTTPSinkTestCase.php

src/aphront/sink/base/tests/init.php

src/applications/conduit/controller/api/init.php