Drupal investigation

JsonResponse.php 7.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Component\HttpFoundation;
  11. /**
  12. * Response represents an HTTP response in JSON format.
  13. *
  14. * Note that this class does not force the returned JSON content to be an
  15. * object. It is however recommended that you do return an object as it
  16. * protects yourself against XSSI and JSON-JavaScript Hijacking.
  17. *
  18. * @see https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines#Always_return_JSON_with_an_Object_on_the_outside
  19. *
  20. * @author Igor Wiedler <igor@wiedler.ch>
  21. */
  22. class JsonResponse extends Response
  23. {
  24. protected $data;
  25. protected $callback;
  26. // Encode <, >, ', &, and " characters in the JSON, making it also safe to be embedded into HTML.
  27. // 15 === JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT
  28. protected $encodingOptions = 15;
  29. /**
  30. * Constructor.
  31. *
  32. * @param mixed $data The response data
  33. * @param int $status The response status code
  34. * @param array $headers An array of response headers
  35. */
  36. public function __construct($data = null, $status = 200, $headers = array())
  37. {
  38. parent::__construct('', $status, $headers);
  39. if (null === $data) {
  40. $data = new \ArrayObject();
  41. }
  42. $this->setData($data);
  43. }
  44. /**
  45. * Factory method for chainability.
  46. *
  47. * Example:
  48. *
  49. * return JsonResponse::create($data, 200)
  50. * ->setSharedMaxAge(300);
  51. *
  52. * @param mixed $data The json response data
  53. * @param int $status The response status code
  54. * @param array $headers An array of response headers
  55. *
  56. * @return static
  57. */
  58. public static function create($data = null, $status = 200, $headers = array())
  59. {
  60. return new static($data, $status, $headers);
  61. }
  62. /**
  63. * Sets the JSONP callback.
  64. *
  65. * @param string|null $callback The JSONP callback or null to use none
  66. *
  67. * @return $this
  68. *
  69. * @throws \InvalidArgumentException When the callback name is not valid
  70. */
  71. public function setCallback($callback = null)
  72. {
  73. if (null !== $callback) {
  74. // partially token from http://www.geekality.net/2011/08/03/valid-javascript-identifier/
  75. // partially token from https://github.com/willdurand/JsonpCallbackValidator
  76. // JsonpCallbackValidator is released under the MIT License. See https://github.com/willdurand/JsonpCallbackValidator/blob/v1.1.0/LICENSE for details.
  77. // (c) William Durand <william.durand1@gmail.com>
  78. $pattern = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*(?:\[(?:"(?:\\\.|[^"\\\])*"|\'(?:\\\.|[^\'\\\])*\'|\d+)\])*?$/u';
  79. $reserved = array(
  80. 'break', 'do', 'instanceof', 'typeof', 'case', 'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 'for', 'switch', 'while',
  81. 'debugger', 'function', 'this', 'with', 'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 'extends', 'super', 'const', 'export',
  82. 'import', 'implements', 'let', 'private', 'public', 'yield', 'interface', 'package', 'protected', 'static', 'null', 'true', 'false',
  83. );
  84. $parts = explode('.', $callback);
  85. foreach ($parts as $part) {
  86. if (!preg_match($pattern, $part) || in_array($part, $reserved, true)) {
  87. throw new \InvalidArgumentException('The callback name is not valid.');
  88. }
  89. }
  90. }
  91. $this->callback = $callback;
  92. return $this->update();
  93. }
  94. /**
  95. * Sets the data to be sent as JSON.
  96. *
  97. * @param mixed $data
  98. *
  99. * @return $this
  100. *
  101. * @throws \InvalidArgumentException
  102. */
  103. public function setData($data = array())
  104. {
  105. if (defined('HHVM_VERSION')) {
  106. // HHVM does not trigger any warnings and let exceptions
  107. // thrown from a JsonSerializable object pass through.
  108. // If only PHP did the same...
  109. $data = json_encode($data, $this->encodingOptions);
  110. } else {
  111. try {
  112. if (PHP_VERSION_ID < 50400) {
  113. // PHP 5.3 triggers annoying warnings for some
  114. // types that can't be serialized as JSON (INF, resources, etc.)
  115. // but doesn't provide the JsonSerializable interface.
  116. set_error_handler(function () { return false; });
  117. $data = @json_encode($data, $this->encodingOptions);
  118. } else {
  119. // PHP 5.4 and up wrap exceptions thrown by JsonSerializable
  120. // objects in a new exception that needs to be removed.
  121. // Fortunately, PHP 5.5 and up do not trigger any warning anymore.
  122. if (PHP_VERSION_ID < 50500) {
  123. // Clear json_last_error()
  124. json_encode(null);
  125. $errorHandler = set_error_handler('var_dump');
  126. restore_error_handler();
  127. set_error_handler(function () use ($errorHandler) {
  128. if (JSON_ERROR_NONE === json_last_error()) {
  129. return $errorHandler && false !== call_user_func_array($errorHandler, func_get_args());
  130. }
  131. });
  132. }
  133. $data = json_encode($data, $this->encodingOptions);
  134. }
  135. if (PHP_VERSION_ID < 50500) {
  136. restore_error_handler();
  137. }
  138. } catch (\Exception $e) {
  139. if (PHP_VERSION_ID < 50500) {
  140. restore_error_handler();
  141. }
  142. if (PHP_VERSION_ID >= 50400 && 'Exception' === get_class($e) && 0 === strpos($e->getMessage(), 'Failed calling ')) {
  143. throw $e->getPrevious() ?: $e;
  144. }
  145. throw $e;
  146. }
  147. }
  148. if (JSON_ERROR_NONE !== json_last_error()) {
  149. throw new \InvalidArgumentException(json_last_error_msg());
  150. }
  151. $this->data = $data;
  152. return $this->update();
  153. }
  154. /**
  155. * Returns options used while encoding data to JSON.
  156. *
  157. * @return int
  158. */
  159. public function getEncodingOptions()
  160. {
  161. return $this->encodingOptions;
  162. }
  163. /**
  164. * Sets options used while encoding data to JSON.
  165. *
  166. * @param int $encodingOptions
  167. *
  168. * @return $this
  169. */
  170. public function setEncodingOptions($encodingOptions)
  171. {
  172. $this->encodingOptions = (int) $encodingOptions;
  173. return $this->setData(json_decode($this->data));
  174. }
  175. /**
  176. * Updates the content and headers according to the JSON data and callback.
  177. *
  178. * @return $this
  179. */
  180. protected function update()
  181. {
  182. if (null !== $this->callback) {
  183. // Not using application/javascript for compatibility reasons with older browsers.
  184. $this->headers->set('Content-Type', 'text/javascript');
  185. return $this->setContent(sprintf('/**/%s(%s);', $this->callback, $this->data));
  186. }
  187. // Only set the header when there is none or when it equals 'text/javascript' (from a previous update with callback)
  188. // in order to not overwrite a custom definition.
  189. if (!$this->headers->has('Content-Type') || 'text/javascript' === $this->headers->get('Content-Type')) {
  190. $this->headers->set('Content-Type', 'application/json');
  191. }
  192. return $this->setContent($this->data);
  193. }
  194. }