[Rt-commit] rt branch, 4.2/config-in-js, created. rt-4.0.7-324-g667ae36

Alex Vandiver alexmv at bestpractical.com
Tue Nov 20 21:58:17 EST 2012 

The branch, 4.2/config-in-js has been created
        at  667ae3661d7a1fadf7048d25c669917e5bcbd476 (commit)

- Log -----------------------------------------------------------------
commit 14a5c44ed0626da1673ce493891a74baee70e87b
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Nov 20 21:24:24 2012 -0500

    Escape '/'s in JSON, to allow safe use in <script> tags
    
    The JSON produced by the JSON module is unsuitable for insertion into
    HTML; user-supplied data could contain the string '</script>' which
    would immediately close the surrounding <script> tag and allow for XSS
    injection.
    
    Escape all '/'s into '\/', a transformation which is allowed by the JSON
    syntax.  This prevents insertion of </script>, by transforming it into
    the HTML-harmless token <\/script>.  While JSON::PP has an option for
    this, ("escape_slash") it is not currently supported by JSON::XS; as
    such, implement escaping of '/'s by way of a regular expression.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 657e337..ba2928b 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -155,7 +155,9 @@ value or a reference.
 =cut
 
 sub EncodeJSON {
-    JSON::to_json(shift, { utf8 => 1, allow_nonref => 1 });
+    my $s = JSON::to_json(shift, { utf8 => 1, allow_nonref => 1 });
+    $s =~ s{/}{\\/}g;
+    return $s;
 }
 
 sub _encode_surrogates {

commit 667ae3661d7a1fadf7048d25c669917e5bcbd476
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Sep 24 19:03:28 2012 -0700

    Embed config and current user data into each page for javascript
    
    Enables smarter, more dynamic, more cacheable JS which doesn't need to
    rely on being generated by Mason.
    
    There is much more data likely to be useful in both of these data
    structures; this is just a start.

diff --git a/share/html/Elements/HeaderJavascript b/share/html/Elements/HeaderJavascript
index d5741f4..7c9c4b8 100644
--- a/share/html/Elements/HeaderJavascript
+++ b/share/html/Elements/HeaderJavascript
@@ -49,6 +49,7 @@
 $focus => undef
 $onload => undef
 </%args>
+<& JavascriptConfig &>
 
 % for my $jsfile ( @js_files ) {
 <script type="text/javascript" src="<%RT->Config->Get('WebPath')%>/NoAuth/js/<% $jsfile %>"></script>
diff --git a/share/html/Elements/JavascriptConfig b/share/html/Elements/JavascriptConfig
new file mode 100644
index 0000000..0fc3d51
--- /dev/null
+++ b/share/html/Elements/JavascriptConfig
@@ -0,0 +1,25 @@
+<%init>
+my $Config = {};
+$Config->{$_} = RT->Config->Get( $_, $session{CurrentUser} )
+  for qw(rtname WebPath);
+
+my $CurrentUser = {};
+if ($session{CurrentUser} and $session{CurrentUser}->id) {
+    $CurrentUser->{$_} = $session{CurrentUser}->$_
+      for qw(id Name EmailAddress);
+
+    $CurrentUser->{Privileged} = $session{CurrentUser}->Privileged
+        ? JSON::true : JSON::false;
+}
+
+$m->callback(
+    CallbackName    => "Data",
+    CurrentUser     => $CurrentUser,
+    Config          => $Config,
+);
+</%init>
+<script>
+window.RT = {};
+RT.CurrentUser = <% JSON( $CurrentUser ) |n%>;
+RT.Config      = <% JSON( $Config      ) |n%>;
+</script>

-----------------------------------------------------------------------

More information about the Rt-commit mailing list