From f5c39efcace4c3d8ca982ffe7456266692810dd2 Mon Sep 17 00:00:00 2001 From: Henry Oswald Date: Tue, 19 May 2015 11:04:52 +0100 Subject: [PATCH] patched xss hole with messages not setting the content type correctly --- services/web/app/coffee/Features/Chat/ChatController.coffee | 1 + .../web/test/UnitTests/coffee/Chat/ChatControllerTests.coffee | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/web/app/coffee/Features/Chat/ChatController.coffee b/services/web/app/coffee/Features/Chat/ChatController.coffee index ddbc9c9a85..7df835a1f8 100644 --- a/services/web/app/coffee/Features/Chat/ChatController.coffee +++ b/services/web/app/coffee/Features/Chat/ChatController.coffee @@ -25,4 +25,5 @@ module.exports = logger.err err:err, query:query, "problem getting messages from chat api" return res.send 500 logger.log length:messages?.length, "sending messages to client" + res.set 'Content-Type', 'application/json' res.send messages diff --git a/services/web/test/UnitTests/coffee/Chat/ChatControllerTests.coffee b/services/web/test/UnitTests/coffee/Chat/ChatControllerTests.coffee index 6a2df298f5..d2ebe41c63 100644 --- a/services/web/test/UnitTests/coffee/Chat/ChatControllerTests.coffee +++ b/services/web/test/UnitTests/coffee/Chat/ChatControllerTests.coffee @@ -33,7 +33,8 @@ describe "ChatController", -> _id:@user_id body: content:@messageContent - @res = {} + @res = + set:sinon.stub() describe "sendMessage", -> @@ -69,6 +70,7 @@ describe "ChatController", -> messages = [{content:"hello"}] @ChatHandler.getMessages.callsArgWith(2, null, messages) @res.send = (sentMessages)=> + @res.set.calledWith('Content-Type', 'application/json').should.equal true sentMessages.should.deep.equal messages done() @ChatController.getMessages @req, @res