Skip to content

Commit

Permalink
[TASK] Remove JSONP callback in suggest
Browse files Browse the repository at this point in the history
This change removes the callback logic
in the Suggest AJAX Call via JSONP, as JSONP
is known to be used to call untrusted third-party
code, and can thus be removed, as custom suggest
code is done anyway via custom JS implementations.

See https://en.wikipedia.org/wiki/JSONP#Security_concerns
  • Loading branch information
bmack committed Oct 25, 2024
1 parent 0fd63e1 commit d432fdb
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 30 deletions.
5 changes: 1 addition & 4 deletions Classes/Controller/SuggestController.php
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ class SuggestController extends AbstractBaseController
*
* @noinspection PhpUnused
*/
public function suggestAction(string $queryString, ?string $callback = null, ?array $additionalFilters = []): ResponseInterface
public function suggestAction(string $queryString, ?array $additionalFilters = []): ResponseInterface
{
// Get suggestions
$rawQuery = htmlspecialchars(mb_strtolower(trim($queryString)));
Expand All @@ -64,9 +64,6 @@ public function suggestAction(string $queryString, ?string $callback = null, ?ar
} catch (SolrUnavailableException) {
return $this->handleSolrUnavailable();
}
if ($callback) {
return $this->htmlResponse(htmlspecialchars($callback) . '(' . json_encode($result, JSON_UNESCAPED_SLASHES) . ')');
}
return $this->htmlResponse(json_encode($result, JSON_UNESCAPED_SLASHES));
}

Expand Down
6 changes: 1 addition & 5 deletions Configuration/TypoScript/Examples/Suggest/setup.typoscript
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ tx_solr_suggest {
disableAllHeaderCode = 1
xhtml_cleaning = 0
admPanel = 0
additionalHeaders.10.header = Content-type: application/javascript
additionalHeaders.10.header = Content-type: application/json
no_cache = 0
debug = 0
}
Expand All @@ -23,10 +23,6 @@ tx_solr_suggest {
}
}

[request && traverse(request.getQueryParams(), 'tx_solr/callback') == '']
tx_solr_suggest.config.additionalHeaders.10.header = Content-type: application/json
[global]

# Enable suggest
plugin.tx_solr {
suggest = 1
Expand Down
5 changes: 1 addition & 4 deletions Resources/Public/JavaScript/suggest_controller.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,7 @@ function SuggestController() {

$form.find('.tx-solr-suggest').devbridgeAutocomplete({
serviceUrl: $form.data('suggest'),
dataType: 'jsonp',
ajaxSettings: {
jsonp: "tx_solr[callback]"
},
dataType: 'json',
paramName: 'tx_solr[queryString]',
groupBy: 'category',
maxHeight: 1000,
Expand Down
19 changes: 2 additions & 17 deletions Tests/Integration/Controller/SuggestControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -60,18 +60,6 @@ public function canDoABasicSuggest(): void
$this->importCSVDataSet(__DIR__ . '/Fixtures/indexing_data.csv');
$this->indexPages([1, 2, 3, 4, 5, 6, 7, 8]);

$result = (string)($this->executeFrontendSubRequestForSuggestQueryString('Sweat', 'rand')->getBody());

// we assume to get suggestions like Sweatshirt
self::assertStringContainsString('suggestions":{"sweatshirts":2}', $result, 'Response did not contain sweatshirt suggestions');
}

#[Test]
public function canDoABasicSuggestWithoutCallback(): void
{
$this->importCSVDataSet(__DIR__ . '/Fixtures/indexing_data.csv');
$this->indexPages([1, 2, 3, 4, 5, 6, 7, 8]);

$result = (string)($this->executeFrontendSubRequestForSuggestQueryString('Sweat')->getBody());

// we assume to get suggestions like Sweatshirt
Expand Down Expand Up @@ -112,23 +100,20 @@ public function canSuggestWithUriSpecialChars(): void

protected function expectSuggested(string $prefix, string $expected)
{
$result = (string)($this->executeFrontendSubRequestForSuggestQueryString($prefix, 'rand')->getBody());
$result = (string)($this->executeFrontendSubRequestForSuggestQueryString($prefix)->getBody());

//we assume to get suggestions like some/large/path
self::assertStringContainsString($expected, $result, 'Response did not contain expected suggestions: ' . $expected);
}

protected function executeFrontendSubRequestForSuggestQueryString(string $queryString, string $callback = null): ResponseInterface
protected function executeFrontendSubRequestForSuggestQueryString(string $queryString): ResponseInterface
{
$request = new InternalRequest('http://testone.site/en/');
$request = $request
->withPageId(1)
->withQueryParameter('type', '7384')
->withQueryParameter('tx_solr[queryString]', $queryString);

if ($callback !== null) {
$request = $request->withQueryParameter('tx_solr[callback]', $callback);
}
return $this->executeFrontendSubRequest($request);
}
}

0 comments on commit d432fdb

Please sign in to comment.