From 36a214b570c889cfabdd7d89b3dce22c9b6fc1b3 Mon Sep 17 00:00:00 2001
From: Dave MacFarlane <driusan@mcin.ca>
Date: Mon, 16 Aug 2021 09:43:54 -0400
Subject: [PATCH] [Publication] Set Content-Type for ajax responses

This sets the Content-Type header for the ajax responses
in the publication module. Because it's not explicitly
set, PHP is defaulting to text/html. This means that, in
the event that a user directly accesses the endpoint, the
browser will interpret the page as HTML, not JSON, and interpret
any data in the object as HTML tags, opening the possibility of
an XSS attack if the an someone is tricked into accessing the
ajax endpoint directly.

The frontend isn't directly vulnerable, because the data is only
interpreted by React.

Setting the Content-Type explicitly to the correct "application/json"
means that browsers should interpret the data correctly even if
accessed directly, rather than interpretting HTML tags.

Thanks to @0xSmiley for reporting this.
---
 modules/publication/ajax/getData.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/publication/ajax/getData.php b/modules/publication/ajax/getData.php
index 22ed9a6a7a6..adb118b2d97 100644
--- a/modules/publication/ajax/getData.php
+++ b/modules/publication/ajax/getData.php
@@ -20,6 +20,7 @@
 
     if ($action === 'getData') {
         if (userCanGetData($db, $user)) {
+            header('Content-Type: application/json');
             exit(json_encode(getData($db)));
         } else {
             http_response_code(403);
@@ -31,6 +32,7 @@
     } elseif ($action === 'getProjectData') {
         $id = $_REQUEST['id'];
         if (userCanGetData($db, $user, $id)) {
+            header('Content-Type: application/json');
             exit(json_encode(getProjectData($db, $user, $id)));
         } else {
             http_response_code(403);