From 0682f7b10ce687db682fa9d45088910b4973765d Mon Sep 17 00:00:00 2001 From: divinity76 Date: Sat, 23 Jul 2022 09:26:16 +0200 Subject: [PATCH 1/2] fix xss / GH-2252 ref https://github.com/serghey-rodin/vesta/issues/2252 --- web/api/v1/upload/UploadHandler.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/web/api/v1/upload/UploadHandler.php b/web/api/v1/upload/UploadHandler.php index aedd747ca..0c80e8f40 100755 --- a/web/api/v1/upload/UploadHandler.php +++ b/web/api/v1/upload/UploadHandler.php @@ -1191,6 +1191,13 @@ class UploadHandler )); } } + if(!headers_sent()){ + // this is the most likely/expected path. + header("Content-Type: text/javascript; charset=UTF-8"); + } else { + // html-encode json to prevent xss... + $json = htmlentities($json, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML401); + } $this->body($json); } return $content; From 7c4e9bad7d2e52f8c2eb80d6774e08183fe8d627 Mon Sep 17 00:00:00 2001 From: divinity76 Date: Sat, 23 Jul 2022 09:29:12 +0200 Subject: [PATCH 2/2] JSON not JS brainfart --- web/api/v1/upload/UploadHandler.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/api/v1/upload/UploadHandler.php b/web/api/v1/upload/UploadHandler.php index 0c80e8f40..be264aac7 100755 --- a/web/api/v1/upload/UploadHandler.php +++ b/web/api/v1/upload/UploadHandler.php @@ -1193,7 +1193,7 @@ class UploadHandler } if(!headers_sent()){ // this is the most likely/expected path. - header("Content-Type: text/javascript; charset=UTF-8"); + header("Content-Type: application/json"); } else { // html-encode json to prevent xss... $json = htmlentities($json, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML401);