Merge pull request #1514 from sharelatex/bg-avoid-text-html-content-type-in-responses

use explicit json content-type to avoid security issues with text/html GitOrigin-RevId: 0c8d96a61380231c5f878572ed91b8ab24375f56
2024-11-07 20:31:06 -05:00 · 2019-02-18 13:25:01 +00:00 · 2019-02-18 13:25:01 +00:00 · 43899589dc
commit 43899589dc
parent 2ab346e762
5 changed files with 8 additions and 8 deletions
--- a/services/web/app/coffee/Features/Documents/DocumentController.coffee
+++ b/services/web/app/coffee/Features/Documents/DocumentController.coffee
@ -27,8 +27,7 @@ module.exports =

 					else
 						projectHistoryId = project?.overleaf?.history?.id
-						res.type "json"
-						res.send JSON.stringify {
+						res.json {
 							lines: lines
 							version: version
 							ranges: ranges
--- a/services/web/app/coffee/Features/User/UserInfoController.coffee
+++ b/services/web/app/coffee/Features/User/UserInfoController.coffee
@ -37,7 +37,7 @@ module.exports = UserController =

 	sendFormattedPersonalInfo: (user, res, next = (error) ->) ->
 		info = UserController.formatPersonalInfo(user)
-		res.send JSON.stringify(info)
+		res.json info

 	formatPersonalInfo: (user, callback = (error, info) ->) ->
 		if !user?
--- a/services/web/test/acceptance/coffee/helpers/MockDocstoreApi.coffee
+++ b/services/web/test/acceptance/coffee/helpers/MockDocstoreApi.coffee
@ -21,7 +21,7 @@ module.exports = MockDocStoreApi =
 		
 		app.get "/project/:project_id/doc", (req, res, next) =>
 			docs = (doc for doc_id, doc of @docs[req.params.project_id])
-			res.send JSON.stringify docs
+			res.json docs

 		app.get "/project/:project_id/doc/:doc_id", (req, res, next) =>
 			{project_id, doc_id} = req.params
@ -29,7 +29,7 @@ module.exports = MockDocStoreApi =
 			if !doc? or (doc.deleted and !req.query.include_deleted)
 				res.sendStatus 404
 			else
-				res.send JSON.stringify doc
+				res.json doc

 		app.delete "/project/:project_id/doc/:doc_id", (req, res, next) =>
 			{project_id, doc_id} = req.params
--- a/services/web/test/unit/coffee/Documents/DocumentControllerTests.coffee
+++ b/services/web/test/unit/coffee/Documents/DocumentControllerTests.coffee
@ -64,7 +64,7 @@ describe "DocumentController", ->
 						.should.equal true

 				it "should return the document data to the client as JSON", ->
-					@res.type.should.equal "json"
+					@res.type.should.equal "application/json"
 					@res.body.should.equal JSON.stringify
 						lines: @doc_lines
 						version: @version
@ -91,7 +91,7 @@ describe "DocumentController", ->
 				@DocumentController.getDocument(@req, @res, @next)

 			it "should return the history id to the client as JSON", ->
-				@res.type.should.equal "json"
+				@res.type.should.equal "application/json"
 				@res.body.should.equal JSON.stringify
 					lines: @doc_lines
 					version: @version
--- a/services/web/test/unit/coffee/helpers/MockResponse.coffee
+++ b/services/web/test/unit/coffee/helpers/MockResponse.coffee
@ -56,11 +56,12 @@ class MockResponse
 				status = 200
 		@statusCode = status
 		@returned = true
+		@type = 'application/json'
 		if 200 <= status < 300
 			@success = true
 		else
 			@success = false
-		@body = body if body
+		@body = JSON.stringify(body) if body
 		@callback() if @callback?

 	status: (@statusCode)->