[HttpFoundation] JSONP callback validation

ro0NL · fabpot · commit 1159f8bba65d · 2016-10-05T12:15:52.000-07:00
diff --git a/src/Symfony/Component/HttpFoundation/JsonResponse.php b/src/Symfony/Component/HttpFoundation/JsonResponse.php
@@ -80,11 +80,19 @@ public static function create($data = null, $status = 200, $headers = array())
     public function setCallback($callback = null)
     {
         if (null !== $callback) {
-            // taken from http://www.geekality.net/2011/08/03/valid-javascript-identifier/
-            $pattern = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*+$/u';
+            // partially token from http://www.geekality.net/2011/08/03/valid-javascript-identifier/
+            // partially token from https://github.com/willdurand/JsonpCallbackValidator
+            //      JsonpCallbackValidator is released under the MIT License. See https://github.com/willdurand/JsonpCallbackValidator/blob/v1.1.0/LICENSE for details.
+            //      (c) William Durand <william.durand1@gmail.com>
+            $pattern = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*(?:\[(?:"(?:\\\.|[^"\\\])*"|\'(?:\\\.|[^\'\\\])*\'|\d+)\])*?$/u';
+            $reserved = array(
+                'break', 'do', 'instanceof', 'typeof', 'case', 'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 'for', 'switch', 'while',
+                'debugger', 'function', 'this', 'with', 'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 'extends', 'super',  'const', 'export',
+                'import', 'implements', 'let', 'private', 'public', 'yield', 'interface', 'package', 'protected', 'static', 'null', 'true', 'false',
+            );
             $parts = explode('.', $callback);
             foreach ($parts as $part) {
-                if (!preg_match($pattern, $part)) {
+                if (!preg_match($pattern, $part) || in_array($part, $reserved, true)) {
                     throw new \InvalidArgumentException('The callback name is not valid.');
                 }
             }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php b/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php
@@ -213,6 +213,14 @@ public function testSetContentJsonSerializeError()
 
         JsonResponse::create($serializable);
     }
+
+    public function testSetComplexCallback()
+    {
+        $response = JsonResponse::fromJsonString('{foo: "bar"}');
+        $response->setCallback('ಠ_ಠ["foo"].bar[0]');
+
+        $this->assertEquals('/**/ಠ_ಠ["foo"].bar[0]({foo: "bar"});', $response->getContent());
+    }
 }
 
 if (interface_exists('JsonSerializable')) {

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,14 @@ public function testSetContentJsonSerializeError()`
`213`	`213`
`214`	`214`	`JsonResponse::create($serializable);`
`215`	`215`	`}`
	`216`	`+`
	`217`	`+ public function testSetComplexCallback()`
	`218`	`+ {`
	`219`	`+ $response = JsonResponse::fromJsonString('{foo: "bar"}');`
	`220`	`+ $response->setCallback('ಠ_ಠ["foo"].bar[0]');`
	`221`	`+`
	`222`	`+ $this->assertEquals('/**/ಠ_ಠ["foo"].bar[0]({foo: "bar"});', $response->getContent());`
	`223`	`+ }`
`216`	`224`	`}`
`217`	`225`
`218`	`226`	`if (interface_exists('JsonSerializable')) {`