Homec4science

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks

Authored by epriestley <git@epriestley.com> on Feb 14 2012, 23:51.

Description

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks

Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606

Details

Committed
epriestley <git@epriestley.com>Feb 14 2012, 23:51
Pushed
aubortJan 31 2017, 17:16
Parents
rPH8da4f981fb12: Always display Branch in revision
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHc8b4bfdcd1cc: Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks (authored by epriestley <git@epriestley.com>).Feb 14 2012, 23:51