diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-09-03 00:44:46 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-09-03 00:44:46 +0200 |
| commit | f9e90e92d4f97a3f00bf598800f829ea6d7f068d (patch) | |
| tree | 057c18a7e7a61fe8a4bf54c7bea4b9c8599a6db0 | |
| parent | e2cc778947affa78278dcd50f42844ef1a9dc0d3 (diff) | |
| download | nextcloud-server-f9e90e92d4f97a3f00bf598800f829ea6d7f068d.tar.gz nextcloud-server-f9e90e92d4f97a3f00bf598800f829ea6d7f068d.zip | |
Encode HTML tags in JSON
While not encoding the HTML tags in the JSON response is perfectly fine since we set the proper mimetype as well as disable content sniffing a lot of automated code scanner do report this as security bug. Encoding them leads to less discussions and a lot of saved time.
| -rw-r--r-- | lib/private/json.php | 2 | ||||
| -rw-r--r-- | lib/public/appframework/http/jsonresponse.php | 2 | ||||
| -rw-r--r-- | tests/lib/appframework/http/JSONResponseTest.php | 26 |
3 files changed, 22 insertions, 8 deletions
diff --git a/lib/private/json.php b/lib/private/json.php index e32e937c01a..ac72f02f609 100644 --- a/lib/private/json.php +++ b/lib/private/json.php @@ -167,6 +167,6 @@ class OC_JSON{ if (is_array($data)) { array_walk_recursive($data, array('OC_JSON', 'to_string')); } - return json_encode($data); + return json_encode($data, JSON_HEX_TAG); } } diff --git a/lib/public/appframework/http/jsonresponse.php b/lib/public/appframework/http/jsonresponse.php index 456a5616d4d..1a509200dd7 100644 --- a/lib/public/appframework/http/jsonresponse.php +++ b/lib/public/appframework/http/jsonresponse.php @@ -64,7 +64,7 @@ class JSONResponse extends Response { * @throws \Exception If data could not get encoded */ public function render() { - $response = json_encode($this->data); + $response = json_encode($this->data, JSON_HEX_TAG); if($response === false) { throw new \Exception(sprintf('Could not json_encode due to invalid ' . 'non UTF-8 characters in the array: %s', var_export($this->data, true))); diff --git a/tests/lib/appframework/http/JSONResponseTest.php b/tests/lib/appframework/http/JSONResponseTest.php index 692237f57b2..253c523934b 100644 --- a/tests/lib/appframework/http/JSONResponseTest.php +++ b/tests/lib/appframework/http/JSONResponseTest.php @@ -66,13 +66,27 @@ class JSONResponseTest extends \Test\TestCase { $this->assertEquals($expected, $this->json->render()); } + /** + * @return array + */ + public function testRenderProvider() { + return [ + [ + ['test' => 'hi'], '{"test":"hi"}', + ], + [ + ['<h1>test' => '<h1>hi'], '{"\u003Ch1\u003Etest":"\u003Ch1\u003Ehi"}', + ], + ]; + } - public function testRender() { - $params = array('test' => 'hi'); - $this->json->setData($params); - - $expected = '{"test":"hi"}'; - + /** + * @dataProvider testRenderProvider + * @param array $input + * @param string $expected + */ + public function testRender(array $input, $expected) { + $this->json->setData($input); $this->assertEquals($expected, $this->json->render()); } |