prototype: Don't call evalResponse() when an Ajax response has no Content-type header. Closes #7827.

2007-04-24 03:34:30 +00:00 · 2007-04-24 03:34:30 +00:00 · 4174060d5b
parent fea6bc1a21
commit 4174060d5b
2 changed files with 4 additions and 1 deletions
--- a/2
+++ b/2
@ -1,5 +1,7 @@
 *SVN*

+* Don't call evalResponse() when an Ajax response has no Content-type header.  Closes #7827.  [Tobie Langel]
+
 * Automatically strip security delimiter comments from JSON strings before evaling them.  The default delimiter is '/*-secure- ... */' or you can specify your own with the Prototype.JSONFilter regular expression.  If you wrap your JSON response bodies in this delimiter on the server side, rogue external sites can't hijack potentially sensitive data via <script> tags.  Closes #7910.  [Tobie Langel]
  For more details on potential security problems, see: http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

--- a/src/ajax.js
+++ b/src/ajax.js
@ -185,7 +185,8 @@ Ajax.Request.prototype = Object.extend(new Ajax.Base(), {
        this.dispatchException(e);
      }
      
-      if ((this.getHeader('Content-type') || 'text/javascript').strip().
+      var contentType = this.getHeader('Content-type');
+      if (contentType && contentType.strip().
        match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
          this.evalResponse();
    }