r55119 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r55118‎ \| r55119 \| r55120 >
Date:	22:38, 15 August 2009
Author:	dale
Status:	ok (Comments)
Tags:
Comment:	* removed plain-text output because IE is retarded treats plain-text as html (in fact no mime type I have found lets you send text to IE and have it treat it like text :( ....
Modified paths:	/trunk/phase3/includes/api/ApiFormatJson.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiFormatJson.php
—	—	@@ -46,10 +46,6 @@
47	47	if( $params['callback']){
48	48	return 'text/javascript';
49	49	}
50		~~- //check for text content request~~
51		~~- if( isset( $params['ctypetext']) && $params['ctypetext']) {~~
52		~~- return 'text/plain';~~
53		~~- }~~
54	50	return 'application/json';
55	51	}
56	52
—	—	@@ -86,22 +82,20 @@
87	83	if (!function_exists('json_encode') \|\| $isHtml \|\| strtolower(json_encode("\xf0\xa0\x80\x80")) != '\ud840\udc00') {
88	84	$json = new Services_JSON();
89	85	return $json->encode($value, $isHtml) ;
90		~~- } else {~~
	86	+ } else {
91	87	return json_encode($value);
92	88	}
93	89	}
94	90
95	91	public function getAllowedParams() {
96	92	return array (
97		~~- 'callback' => null,~~
98		~~- 'ctypetext' => null~~
	93	+ 'callback' => null,
99	94	);
100	95	}
101	96
102	97	public function getParamDescription() {
103	98	return array (
104		~~- 'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',~~
105		~~- 'ctypetext'=> 'Used to set the content type of the json result to plain-text (useful for evaling iframe uploads)',~~
	99	+ 'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',
106	100	);
107	101	}
108	102

Comments

#Comment by Brion VIBBER (talk | contribs) 23:06, 18 August 2009

Fixes XSS security hole which was introduced. Thanks!

#Comment by Mdale (talk | contribs) 00:35, 19 August 2009

yea don't know if I should get much credit considering I introduced it (its only a xss hole for broken browsers (ie IE) ) but at any rate it turns out the jsonfm response worked pretty well:

var doc = iframe.contentDocument ? iframe.contentDocument : frames[iframe.id].document; json_str = $j(doc.body).find('pre').html(); return window["eval"]("(" +json_str + ")");

Status & tagging log

23:06, 18 August 2009 Brion VIBBER (talk | contribs) changed the status of r55119 [removed: new added: ok]