From 4174060d5bd3721089ea9b949da9f2ea667c67a7 Mon Sep 17 00:00:00 2001
From: Sam Stephenson <sam@37signals.com>
Date: Tue, 24 Apr 2007 03:34:30 +0000
Subject: [PATCH] prototype: Don't call evalResponse() when an Ajax response
 has no Content-type header.  Closes #7827.

---
 CHANGELOG   | 2 ++
 src/ajax.js | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 69dfe48..0c3a831 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Don't call evalResponse() when an Ajax response has no Content-type header.  Closes #7827.  [Tobie Langel]
+
 * Automatically strip security delimiter comments from JSON strings before evaling them.  The default delimiter is '/*-secure- ... */' or you can specify your own with the Prototype.JSONFilter regular expression.  If you wrap your JSON response bodies in this delimiter on the server side, rogue external sites can't hijack potentially sensitive data via <script> tags.  Closes #7910.  [Tobie Langel]
   For more details on potential security problems, see: http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
 
diff --git a/src/ajax.js b/src/ajax.js
index 7bcf479..5d4cfe4 100644
--- a/src/ajax.js
+++ b/src/ajax.js
@@ -185,7 +185,8 @@ Ajax.Request.prototype = Object.extend(new Ajax.Base(), {
         this.dispatchException(e);
       }
       
-      if ((this.getHeader('Content-type') || 'text/javascript').strip().
+      var contentType = this.getHeader('Content-type');
+      if (contentType && contentType.strip().
         match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
           this.evalResponse();
     }