Feature #13718 ยป issue-13718.diff
| lib/redmine/views/builders/json.rb | ||
|---|---|---|
| 27 | 27 |
super |
| 28 | 28 |
callback = request.params[:callback] || request.params[:jsonp] |
| 29 | 29 |
if callback && Setting.jsonp_enabled? |
| 30 |
self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_]/, '') |
|
| 30 |
self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_.]/, '')
|
|
| 31 | 31 |
end |
| 32 | 32 |
end |
| 33 | 33 | |
| test/integration/api_test/jsonp_test.rb | ||
|---|---|---|
| 52 | 52 | |
| 53 | 53 |
def test_jsonp_should_strip_invalid_characters_from_callback |
| 54 | 54 |
with_settings :jsonp_enabled => '1' do |
| 55 |
get '/trackers.json?callback=+-aA$1_' |
|
| 55 |
get '/trackers.json?callback=+-aA$1_.'
|
|
| 56 | 56 |
end |
| 57 | 57 | |
| 58 | 58 |
assert_response :success |
| 59 |
assert_match %r{^aA1_\(\{"trackers":.+\}\)$}, response.body
|
|
| 59 |
assert_match %r{^aA1_.\(\{"trackers":.+\}\)$}, response.body
|
|
| 60 | 60 |
assert_equal 'application/javascript; charset=utf-8', response.headers['Content-Type'] |
| 61 | 61 |
end |
| 62 | 62 | |