github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-07 20:31:06 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #55 from sharelatex/bg-avoid-text-html-content-type-in-responses

Browse source 
use explicit json content-type to avoid security issues with text/html
This commit is contained in:
Brian Gough 2019-02-22 10:20:16 +00:00 committed by GitHub
commit 60cee0a219
2 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
services/track-changes/app/coffee/HttpController.coffee
View file

@ -79,7 +79,7 @@ module.exports = HttpController =
logger.log {project_id, doc_id, from, to}, "getting diff" logger.log {project_id, doc_id, from, to}, "getting diff"
DiffManager.getDiff project_id, doc_id, from, to, (error, diff) -> DiffManager.getDiff project_id, doc_id, from, to, (error, diff) ->
return next(error) if error? return next(error) if error?
res.send JSON.stringify(diff: diff) res.json {diff: diff}
getUpdates: (req, res, next = (error) ->) -> getUpdates: (req, res, next = (error) ->) ->
project_id = req.params.project_id project_id = req.params.project_id
@ -91,9 +91,10 @@ module.exports = HttpController =
UpdatesManager.getSummarizedProjectUpdates project_id, before: before, min_count: min_count, (error, updates, nextBeforeTimestamp) -> UpdatesManager.getSummarizedProjectUpdates project_id, before: before, min_count: min_count, (error, updates, nextBeforeTimestamp) ->
return next(error) if error? return next(error) if error?
res.send JSON.stringify res.json {
updates: updates updates: updates
nextBeforeTimestamp: nextBeforeTimestamp nextBeforeTimestamp: nextBeforeTimestamp
}
restore: (req, res, next = (error) ->) -> restore: (req, res, next = (error) ->) ->
{doc_id, project_id, version} = req.params {doc_id, project_id, version} = req.params

8
services/track-changes/test/unit/coffee/HttpController/HttpControllerTests.coffee
View file

@ -71,7 +71,7 @@ describe "HttpController", ->
from: @from.toString() from: @from.toString()
to: @to.toString() to: @to.toString()
@res = @res =
send: sinon.stub() json: sinon.stub()
@diff = [ u: "mock-diff" ] @diff = [ u: "mock-diff" ]
@DiffManager.getDiff = sinon.stub().callsArgWith(4, null, @diff) @DiffManager.getDiff = sinon.stub().callsArgWith(4, null, @diff)
@HttpController.getDiff @req, @res, @next @HttpController.getDiff @req, @res, @next
@ -82,7 +82,7 @@ describe "HttpController", ->
.should.equal true .should.equal true
it "should return the diff", -> it "should return the diff", ->
@res.send.calledWith(JSON.stringify(diff: @diff)).should.equal true @res.json.calledWith({diff: @diff}).should.equal true
describe "getUpdates", -> describe "getUpdates", ->
beforeEach -> beforeEach ->
@ -96,7 +96,7 @@ describe "HttpController", ->
before: @before.toString() before: @before.toString()
min_count: @min_count.toString() min_count: @min_count.toString()
@res = @res =
send: sinon.stub() json: sinon.stub()
@updates = ["mock-summarized-updates"] @updates = ["mock-summarized-updates"]
@UpdatesManager.getSummarizedProjectUpdates = sinon.stub().callsArgWith(2, null, @updates, @nextBeforeTimestamp) @UpdatesManager.getSummarizedProjectUpdates = sinon.stub().callsArgWith(2, null, @updates, @nextBeforeTimestamp)
@HttpController.getUpdates @req, @res, @next @HttpController.getUpdates @req, @res, @next
@ -107,7 +107,7 @@ describe "HttpController", ->
.should.equal true .should.equal true
it "should return the formatted updates", -> it "should return the formatted updates", ->
@res.send.calledWith(JSON.stringify(updates: @updates, nextBeforeTimestamp: @nextBeforeTimestamp)).should.equal true @res.json.calledWith({updates: @updates, nextBeforeTimestamp: @nextBeforeTimestamp}).should.equal true
describe "RestoreManager", -> describe "RestoreManager", ->
beforeEach -> beforeEach ->