Commits

Luke Plant committed 28490de

Fixed security issue with sending Arrays as top-level object in a JSON response

In some browsers, cross-site stealing of data can occur if JSON is loaded
into a <script> and the top level object is an Array.

Comments (0)

Files changed (2)

autocomplete/static/js/jquery_autocomplete.js

     this.source = function (request, response) {
         function success(data) {
             var parsed = [];
-            for (var i in data) {
+            var results = data.result;
+            for (var i in results) {
                 parsed[parsed.length] = {
-                    id: data[i][0],
-                    value: data[i][1],
-                    label: data[i][1]
+                    id: results[i][0],
+                    value: results[i][1],
+                    label: results[i][1]
                 };
             }
             response(parsed);

autocomplete/views.py

             result = []
             for obj in qs:
                 result.append((getattr(obj, key), label(obj)))
-        return HttpResponse(simplejson.dumps(result),
+        # Use a dict/object rather than list/array, because of
+        # security implications of Array in older browsers.
+        return HttpResponse(simplejson.dumps({'result':result}),
                 mimetype='application/json')
 
     def register(self, id, queryset, fields, limit=None, key='pk',