Commit ab6f04e8 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(mvc) remove disableOutputCleansing, related to https://github.com/opnsense/core/issues/898

(cherry picked from commit 3c2aad98)
parent 215873c1
...@@ -37,21 +37,6 @@ use OPNsense\Auth\AuthenticationFactory; ...@@ -37,21 +37,6 @@ use OPNsense\Auth\AuthenticationFactory;
*/ */
class ApiControllerBase extends ControllerRoot class ApiControllerBase extends ControllerRoot
{ {
/**
* @var bool cleanse output before sending to client, be very careful to disable this (XSS).
*/
private $cleanseOutput = true;
/**
* disable output cleansing.
* Prevents the framework from executing automatic XSS protection on all delivered json data.
* Be very careful to disable this, if content can't be guaranteed you might introduce XSS vulnerabilities.
*/
protected function disableOutputCleansing()
{
$this->cleanseOutput = false;
}
/** /**
* parse raw json type content to POST data depending on content type * parse raw json type content to POST data depending on content type
* (only for api calls) * (only for api calls)
...@@ -194,11 +179,7 @@ class ApiControllerBase extends ControllerRoot ...@@ -194,11 +179,7 @@ class ApiControllerBase extends ControllerRoot
$data = $dispatcher->getReturnedValue(); $data = $dispatcher->getReturnedValue();
if (is_array($data)) { if (is_array($data)) {
$this->response->setContentType('application/json', 'UTF-8'); $this->response->setContentType('application/json', 'UTF-8');
if ($this->cleanseOutput) {
echo htmlspecialchars(json_encode($data), ENT_NOQUOTES); echo htmlspecialchars(json_encode($data), ENT_NOQUOTES);
} else {
echo json_encode($data);
}
} else { } else {
// output raw data // output raw data
echo $data; echo $data;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment