mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
Tests: Strip untypical callback parameter characters from PHP files
Only allow alphanumeric characters & underscores for callback parameters.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.
This is a 1.x/2.x version of PR gh-4871.
The change doesn't require a release; it's meant at installations testing
the latest state of `1.12-stable` & `2.2-stable` branches.
This change also fixes testing on Travis & on Chrome/Firefox.
Closes gh-4875
Ref gh-4764
Ref gh-4871
(cherry picked from acb7c49c8d
)
This commit is contained in:
parent
e09907ce15
commit
90a3c43982
@ -1,8 +1,9 @@
|
|||||||
language: node_js
|
language: node_js
|
||||||
sudo: false
|
os: linux
|
||||||
node_js:
|
node_js:
|
||||||
- "0.10"
|
|
||||||
- "0.12"
|
|
||||||
- "4"
|
- "4"
|
||||||
- "5"
|
|
||||||
- "6"
|
- "6"
|
||||||
|
- "8"
|
||||||
|
- "10"
|
||||||
|
- "12"
|
||||||
|
- "14"
|
||||||
|
@ -1,14 +1,15 @@
|
|||||||
<?php
|
<?php
|
||||||
error_reporting(0);
|
error_reporting(0);
|
||||||
|
function cleanCallback( $callback ) {
|
||||||
|
return preg_replace( '/[^a-z0-9_]/i', '', $callback );
|
||||||
|
}
|
||||||
$callback = $_REQUEST['callback'];
|
$callback = $_REQUEST['callback'];
|
||||||
if ( ! $callback ) {
|
if ( ! $callback ) {
|
||||||
$callback = explode("?",end(explode("/",$_SERVER['REQUEST_URI'])));
|
$callback = explode("?",end(explode("/",$_SERVER['REQUEST_URI'])));
|
||||||
$callback = $callback[0];
|
$callback = $callback[0];
|
||||||
}
|
}
|
||||||
$json = $_REQUEST['json'];
|
$json = $_REQUEST['json'] ?
|
||||||
if($json) {
|
'[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
|
||||||
echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';
|
'{ "data": { "lang": "en", "length": 25 } }';
|
||||||
} else {
|
echo cleanCallback( $callback ) . '(' . $json . ')';
|
||||||
echo $callback . '({ "data": {"lang": "en", "length": 25} })';
|
|
||||||
}
|
|
||||||
?>
|
?>
|
||||||
|
@ -1,7 +1,11 @@
|
|||||||
<?php
|
<?php
|
||||||
error_reporting(0);
|
error_reporting(0);
|
||||||
|
function cleanCallback( $callback ) {
|
||||||
|
return preg_replace( '/[^a-z0-9_]/i', '', $callback );
|
||||||
|
}
|
||||||
$callback = $_REQUEST['callback'];
|
$callback = $_REQUEST['callback'];
|
||||||
|
$cleanCallback = cleanCallback( $callback );
|
||||||
$json = $_REQUEST['json'];
|
$json = $_REQUEST['json'];
|
||||||
$text = json_encode(file_get_contents(dirname(__FILE__)."/with_fries.xml"));
|
$text = json_encode(file_get_contents(dirname(__FILE__)."/with_fries.xml"));
|
||||||
echo "$callback($text)";
|
echo "$cleanCallback($text)\n";
|
||||||
?>
|
?>
|
||||||
|
@ -1519,6 +1519,11 @@ QUnit.module( "ajax", {
|
|||||||
};
|
};
|
||||||
} );
|
} );
|
||||||
|
|
||||||
|
// Chrome 78 dropped support for synchronous XHR requests inside of
|
||||||
|
// beforeunload, unload, pagehide, and visibilitychange event handlers.
|
||||||
|
// See https://bugs.chromium.org/p/chromium/issues/detail?id=952452
|
||||||
|
// Safari 13 did similar changes. The below check will catch them both.
|
||||||
|
if ( !/safari/i.test( navigator.userAgent ) ) {
|
||||||
testIframeWithCallback(
|
testIframeWithCallback(
|
||||||
"#14379 - jQuery.ajax() on unload",
|
"#14379 - jQuery.ajax() on unload",
|
||||||
"ajax/onunload.html",
|
"ajax/onunload.html",
|
||||||
@ -1527,6 +1532,7 @@ QUnit.module( "ajax", {
|
|||||||
assert.strictEqual( status, "success", "Request completed" );
|
assert.strictEqual( status, "success", "Request completed" );
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
}
|
||||||
|
|
||||||
// BrowserStack PATCH support sometimes breaks so on TestSwarm run the test in IE only.
|
// BrowserStack PATCH support sometimes breaks so on TestSwarm run the test in IE only.
|
||||||
// Unfortunately, all IE versions gets special treatment in request object creation
|
// Unfortunately, all IE versions gets special treatment in request object creation
|
||||||
|
@ -577,6 +577,7 @@ testIframeWithCallback(
|
|||||||
"tbody": true
|
"tbody": true
|
||||||
};
|
};
|
||||||
} else if ( /firefox/i.test( userAgent ) ) {
|
} else if ( /firefox/i.test( userAgent ) ) {
|
||||||
|
version = userAgent.match( /firefox\/(\d+)/i )[ 1 ];
|
||||||
expected = {
|
expected = {
|
||||||
"ajax": true,
|
"ajax": true,
|
||||||
"appendChecked": true,
|
"appendChecked": true,
|
||||||
@ -610,7 +611,7 @@ testIframeWithCallback(
|
|||||||
"radioValue": true,
|
"radioValue": true,
|
||||||
"reliableHiddenOffsets": true,
|
"reliableHiddenOffsets": true,
|
||||||
"reliableMarginRight": true,
|
"reliableMarginRight": true,
|
||||||
"reliableMarginLeft": false,
|
"reliableMarginLeft": version >= 61,
|
||||||
"shrinkWrapBlocks": false,
|
"shrinkWrapBlocks": false,
|
||||||
"style": true,
|
"style": true,
|
||||||
"submit": true,
|
"submit": true,
|
||||||
|
Loading…
Reference in New Issue
Block a user