How to make JSON Vulnerability Protection in the server response under Yii2
AngularJS provides support for JSON Vulnerability Protection, designed to counteract situations where an attacker can, under certain conditions, turn JSON into JSONP and execute some code. As a countermeasure on the server side, it is proposed to add the following prefix to the JSON data:)
Under the cut is my short history of generating JSON data with a prefix. But, I think this story also illustrates well a more general question - how can I add my own server response formats. In the Yii Framework, this is done quite simply - to do this, it is enough to describe in the configuration which class will be responsible for generating a response of a certain format.
I started by adding a new type of response, “jsonvp,” to the configuration (/ path_to_project / config / web / php - the components → response → formatters section), assigning the class I’m going to create.
')
In the class
It remains only to check the functionality:
When calling
With this simple way you can create your own response formats. For example, as described above, - JSON with a prefix that allows you to protect yourself from a vulnerability .Unfortunately, in the recipe book on the framework, there is currently no description of how to create your own response formats, although the section is labeled “TBD”. Upd: Already have .
I hope someone this article will be useful. Good luck!
)]}',Under the cut is my short history of generating JSON data with a prefix. But, I think this story also illustrates well a more general question - how can I add my own server response formats. In the Yii Framework, this is done quite simply - to do this, it is enough to describe in the configuration which class will be responsible for generating a response of a certain format.
I started by adding a new type of response, “jsonvp,” to the configuration (/ path_to_project / config / web / php - the components → response → formatters section), assigning the class I’m going to create.
<?php // . . . $config = [ // . . . 'components' => [ // . . . 'response' => [ 'formatters' => [ 'jsonvp' => 'app\components\JsonVpResponseFormatter', ], ], ], // . . . ]; ')
In the class
yii\web\Response there is a property $formatters , which will be complemented by what is in the configuration. And now, if in some action set Yii::$app->response->format = 'jsonvp'; then it will use the app\components\JsonVpResponseFormatter class for formatting the response. In the framework, there is an interface yii\web\ResponseFormatterInterface that governs the rules for writing such classes, so you can apply this interface to my new class. <?php namespace app\components; use yii\helpers\Json; use yii\web\Response; use yii\web\ResponseFormatterInterface; class JsonVpResponseFormatter implements ResponseFormatterInterface { /** * Format as Vulnerability Protected JSON. * @param Response $response */ public function format($response) { $response->getHeaders()->set('Content-Type', 'application/json; charset=UTF-8'); if ($response->data !== null) { $response->content = ")]}',\n" . Json::encode($response->data); } } } It remains only to check the functionality:
<?php namespace app\controllers; use Yii; use yii\web\Controller; /** * site/* actions. * @package app\controllers */ class SiteController extends Controller { /** * Test JSON output * @return array */ public function actionJson() { Yii::$app->response->format = 'jsonvp'; return ['123', '456']; } } When calling
localhost/index.php?r=site/json localhost/index.php?r=site/json in the browser displays the following result: )]}', ["123","456"] Conclusion
With this simple way you can create your own response formats. For example, as described above, - JSON with a prefix that allows you to protect yourself from a vulnerability .
I hope someone this article will be useful. Good luck!
Source: https://habr.com/ru/post/256213/
All Articles