mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
Tests: Strip untypical callback parameter characters from PHP files
Only allow alphanumeric characters & underscores for callback parameters. This is only test code so we're not fixing any security issue but it happens often enough that the whole jQuery repository directory structure is deployed onto the server with PHP enabled that it makes is easy to introduce security issues if this cleanup is not done. This is a 1.x/2.x version of PR gh-4871. The change doesn't require a release; it's meant at installations testing the latest state of `1.12-stable` & `2.2-stable` branches. This change also fixes testing on Travis & on Chrome/Firefox. Closes gh-4875 Ref gh-4764 Ref gh-4871
This commit is contained in:
parent
b14ce54334
commit
acb7c49c8d
@ -1,8 +1,9 @@
|
|||||||
language: node_js
|
language: node_js
|
||||||
sudo: false
|
os: linux
|
||||||
node_js:
|
node_js:
|
||||||
- "0.10"
|
|
||||||
- "0.12"
|
|
||||||
- "4"
|
- "4"
|
||||||
- "5"
|
|
||||||
- "6"
|
- "6"
|
||||||
|
- "8"
|
||||||
|
- "10"
|
||||||
|
- "12"
|
||||||
|
- "14"
|
||||||
|
@ -1,14 +1,15 @@
|
|||||||
<?php
|
<?php
|
||||||
error_reporting(0);
|
error_reporting(0);
|
||||||
|
function cleanCallback( $callback ) {
|
||||||
|
return preg_replace( '/[^a-z0-9_]/i', '', $callback );
|
||||||
|
}
|
||||||
$callback = $_REQUEST['callback'];
|
$callback = $_REQUEST['callback'];
|
||||||
if ( ! $callback ) {
|
if ( ! $callback ) {
|
||||||
$callback = explode("?",end(explode("/",$_SERVER['REQUEST_URI'])));
|
$callback = explode("?",end(explode("/",$_SERVER['REQUEST_URI'])));
|
||||||
$callback = $callback[0];
|
$callback = $callback[0];
|
||||||
}
|
}
|
||||||
$json = $_REQUEST['json'];
|
$json = $_REQUEST['json'] ?
|
||||||
if($json) {
|
'[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
|
||||||
echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';
|
'{ "data": { "lang": "en", "length": 25 } }';
|
||||||
} else {
|
echo cleanCallback( $callback ) . '(' . $json . ')';
|
||||||
echo $callback . '({ "data": {"lang": "en", "length": 25} })';
|
|
||||||
}
|
|
||||||
?>
|
?>
|
||||||
|
@ -1,7 +1,11 @@
|
|||||||
<?php
|
<?php
|
||||||
error_reporting(0);
|
error_reporting(0);
|
||||||
|
function cleanCallback( $callback ) {
|
||||||
|
return preg_replace( '/[^a-z0-9_]/i', '', $callback );
|
||||||
|
}
|
||||||
$callback = $_REQUEST['callback'];
|
$callback = $_REQUEST['callback'];
|
||||||
|
$cleanCallback = cleanCallback( $callback );
|
||||||
$json = $_REQUEST['json'];
|
$json = $_REQUEST['json'];
|
||||||
$text = json_encode(file_get_contents(dirname(__FILE__)."/with_fries.xml"));
|
$text = json_encode(file_get_contents(dirname(__FILE__)."/with_fries.xml"));
|
||||||
echo "$callback($text)";
|
echo "$cleanCallback($text)\n";
|
||||||
?>
|
?>
|
||||||
|
@ -1758,6 +1758,11 @@ if ( typeof window.ArrayBuffer === "undefined" || typeof new XMLHttpRequest().re
|
|||||||
};
|
};
|
||||||
} );
|
} );
|
||||||
|
|
||||||
|
// Chrome 78 dropped support for synchronous XHR requests inside of
|
||||||
|
// beforeunload, unload, pagehide, and visibilitychange event handlers.
|
||||||
|
// See https://bugs.chromium.org/p/chromium/issues/detail?id=952452
|
||||||
|
// Safari 13 did similar changes. The below check will catch them both.
|
||||||
|
if ( !/safari/i.test( navigator.userAgent ) ) {
|
||||||
testIframeWithCallback(
|
testIframeWithCallback(
|
||||||
"#14379 - jQuery.ajax() on unload",
|
"#14379 - jQuery.ajax() on unload",
|
||||||
"ajax/onunload.html",
|
"ajax/onunload.html",
|
||||||
@ -1766,6 +1771,7 @@ if ( typeof window.ArrayBuffer === "undefined" || typeof new XMLHttpRequest().re
|
|||||||
assert.strictEqual( status, "success", "Request completed" );
|
assert.strictEqual( status, "success", "Request completed" );
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
}
|
||||||
|
|
||||||
ajaxTest( "#14683 - jQuery.ajax() - Exceptions thrown synchronously by xhr.send should be caught", 4, function( assert ) {
|
ajaxTest( "#14683 - jQuery.ajax() - Exceptions thrown synchronously by xhr.send should be caught", 4, function( assert ) {
|
||||||
return [ {
|
return [ {
|
||||||
|
@ -223,6 +223,7 @@ testIframeWithCallback(
|
|||||||
"reliableMarginRight": true
|
"reliableMarginRight": true
|
||||||
};
|
};
|
||||||
} else if ( /firefox/i.test( userAgent ) ) {
|
} else if ( /firefox/i.test( userAgent ) ) {
|
||||||
|
version = userAgent.match( /firefox\/(\d+)/i )[ 1 ];
|
||||||
expected = {
|
expected = {
|
||||||
"ajax": true,
|
"ajax": true,
|
||||||
"boxSizingReliable": true,
|
"boxSizingReliable": true,
|
||||||
@ -237,7 +238,7 @@ testIframeWithCallback(
|
|||||||
"pixelMarginRight": true,
|
"pixelMarginRight": true,
|
||||||
"pixelPosition": true,
|
"pixelPosition": true,
|
||||||
"radioValue": true,
|
"radioValue": true,
|
||||||
"reliableMarginLeft": false,
|
"reliableMarginLeft": version >= 61,
|
||||||
"reliableMarginRight": true
|
"reliableMarginRight": true
|
||||||
};
|
};
|
||||||
} else if ( /iphone os 9_/i.test( userAgent ) ) {
|
} else if ( /iphone os 9_/i.test( userAgent ) ) {
|
||||||
|
Loading…
Reference in New Issue
Block a user