JSON loading should follow OWASP reccomendation

[ldusan84]

I think that JSON loading should follow OWASP reccomendation on that:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse

[verklov]

@ldusan84, thank you for the issue and sorry for the delay! There is a ticket in the backlog. We will notify you once the team resolves this issue.

[verklov]

@ldusan84, we have fixed the issue that you reported and released the fix in dev85. Thank you again for contributing to Magento quality! We are closing this issue.

[verklov]

@ldusan84, I saw your tweet that you did not find the code we released in dev85 in scope of this issue. I investigated to find out if there was a mistake and the code was not included, but nope, the developer confirmed his code changes are there.

He made an assumption that his implementation was different from what you might have expected. Here is what he suggested:

Look for Magento\Framework\App\Response\Http::representJson($content) method.
You can find its numerous usages in places that did require appropriate Content-Type header.

Please let us know if this explains everything or you would still like to get more information. If yes, please note what exactly leaves you puzzled here and I will try to connect you and the developer to make sure you receive all the answers.

[ldusan84]

Hi @verklov

Thanks for your effort on this issue.

My concern was mainly regarding that the mime type on script tags that output json should be "application/json" and not "text/javascript". I realize it's a minor issue and that this vulnerability is not likely to be exploited, but I think it's a good practice to follow OWASP standards.

Let me know what you think.

Thanks
Dusan

[verklov]

Hi @ldusan84, I will let the developer know of your concerns tomorrow. If this requires some changes in the code to correspond to the OWASP standards, we will definitely initiate this change.

Let me get back to you once I have the decision made.

Best regards,
Sergey

[verklov]

@ldusan84, I got a response from the developer to your latest comment in this thread:

Magento uses tags with type set to text/javascript for regular javascript code. Content type application/json has to be used when script tag contains only JSON. If you have found any such tags in Magento code, please let us know and we will fix it. Magento uses pure JSON mainly in AJAX requests, and as we mentioned in the initial post we have already fixed those cases (Magento now sets correct content type for JSON responses).

Once again, thank you for your input.

[ldusan84]

Hi @verklov

Thanks for the response. In the meantime I have investigated this a bit and it seems that mime type on script tag is not really that important, so I think that's good the way it is.

I really like the way this issue has been resolved, thanks again.

Regards
Dusan