Tests: Strip untypical callback parameter characters from PHP files

mgol · mgol · commit cc8bbd308a64 · 2021-04-16T23:47:14.000+02:00
Only allow alphanumeric characters & underscores for callback parameters. This is only test code so we're not fixing any security issue but it happens often enough that the whole jQuery repository directory structure is deployed onto the server with PHP enabled that it makes is easy to introduce security issues if this cleanup is not done. This is a 1.x/2.x version of PR jquerygh-4871. The change doesn't require a release; it's meant at installations testing the latest state of `1.12-stable` & `2.2-stable` branches. Ref jquerygh-4764 Ref jquerygh-4871
diff --git a/test/data/jsonp.php b/test/data/jsonp.php
@@ -1,14 +1,15 @@
 <?php
 error_reporting(0);
+function cleanCallback( $callback ) {
+	return preg_replace( '/[^a-z0-9_]/i', '', $callback );
+}
 $callback = $_REQUEST['callback'];
 if ( ! $callback ) {
 	$callback = explode("?",end(explode("/",$_SERVER['REQUEST_URI'])));
 	$callback = $callback[0];
 }
-$json = $_REQUEST['json'];
-if($json) {
-	echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';
-} else {
-	echo $callback . '({ "data": {"lang": "en", "length": 25} })';
-}
+$json = $_REQUEST['json'] ?
+	'[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
+	'{ "data": { "lang": "en", "length": 25 } }';
+echo cleanCallback( $callback ) . '(' . $json . ')';
 ?>
diff --git a/test/data/with_fries_over_jsonp.php b/test/data/with_fries_over_jsonp.php
@@ -1,7 +1,11 @@
 <?php
 error_reporting(0);
+function cleanCallback( $callback ) {
+	return preg_replace( '/[^a-z0-9_]/i', '', $callback );
+}
 $callback = $_REQUEST['callback'];
+$cleanCallback = cleanCallback( $callback );
 $json = $_REQUEST['json'];
 $text = json_encode(file_get_contents(dirname(__FILE__)."/with_fries.xml"));
-echo "$callback($text)";
+echo "$cleanCallback($text)\n";
 ?>
