diff options
| author | David Rothstein <drothstein@gmail.com> | 2015-08-19 17:20:31 -0400 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2015-08-19 17:20:31 -0400 |
| commit | be00a1ced4104d84df2f34b149b35fb0adf91093 (patch) | |
| tree | 57eb4bdd551ef892671c5d7d653a78fdd3f3d454 /includes/ajax.inc | |
| parent | 5cb79b4b217e9aa315d61284398cce132c28bea4 (diff) | |
| download | brdo-be00a1ced4104d84df2f34b149b35fb0adf91093.tar.gz brdo-be00a1ced4104d84df2f34b149b35fb0adf91093.tar.bz2 | |
Drupal 7.39
Diffstat (limited to 'includes/ajax.inc')
| -rw-r--r-- | includes/ajax.inc | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/includes/ajax.inc b/includes/ajax.inc index 6e8e277b8..50e8e28a5 100644 --- a/includes/ajax.inc +++ b/includes/ajax.inc @@ -230,6 +230,10 @@ * functions. */ function ajax_render($commands = array()) { + // Although ajax_deliver() does this, some contributed and custom modules + // render Ajax responses without using that delivery callback. + ajax_set_verification_header(); + // Ajax responses aren't rendered with html.tpl.php, so we have to call // drupal_get_css() and drupal_get_js() here, in order to have new files added // during this request to be loaded by the page. We only want to send back @@ -487,6 +491,9 @@ function ajax_deliver($page_callback_result) { } } + // Let ajax.js know that this response is safe to process. + ajax_set_verification_header(); + // Print the response. $commands = ajax_prepare_response($page_callback_result); $json = ajax_render($commands); @@ -577,6 +584,29 @@ function ajax_prepare_response($page_callback_result) { } /** + * Sets a response header for ajax.js to trust the response body. + * + * It is not safe to invoke Ajax commands within user-uploaded files, so this + * header protects against those being invoked. + * + * @see Drupal.ajax.options.success() + */ +function ajax_set_verification_header() { + $added = &drupal_static(__FUNCTION__); + + // User-uploaded files cannot set any response headers, so a custom header is + // used to indicate to ajax.js that this response is safe. Note that most + // Ajax requests bound using the Form API will be protected by having the URL + // flagged as trusted in Drupal.settings, so this header is used only for + // things like custom markup that gets Ajax behaviors attached. + if (empty($added)) { + drupal_add_http_header('X-Drupal-Ajax-Token', '1'); + // Avoid sending the header twice. + $added = TRUE; + } +} + +/** * Performs end-of-Ajax-request tasks. * * This function is the equivalent of drupal_page_footer(), but for Ajax @@ -764,7 +794,12 @@ function ajax_pre_render_element($element) { $element['#attached']['js'][] = array( 'type' => 'setting', - 'data' => array('ajax' => array($element['#id'] => $settings)), + 'data' => array( + 'ajax' => array($element['#id'] => $settings), + 'urlIsAjaxTrusted' => array( + $settings['url'] => TRUE, + ), + ), ); // Indicate that Ajax processing was successful. |