Skip to content

Commit

Permalink
Don't store ux_live_component URLs in setTargetPath of the security c…
Browse files Browse the repository at this point in the history 
…omponent
  • Loading branch information
@gbere @weaverryan
gbere authored and weaverryan committed Sep 7, 2023
1 parent 19feb79 commit 9591ea8
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/LiveComponent/assets/dist/live_controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2154,6 +2154,7 @@ class RequestBuilder {
const fetchOptions = {};
fetchOptions.headers = {
Accept: 'application/vnd.live-component+html',
'X-Requested-With': 'XMLHttpRequest',
};
const totalFiles = Object.entries(files).reduce((total, current) => total + current.length, 0);
const hasFingerprints = Object.keys(children).length > 0;
Expand Down
1 change: 1 addition & 0 deletions src/LiveComponent/assets/src/Backend/RequestBuilder.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ export default class {
const fetchOptions: RequestInit = {};
fetchOptions.headers = {
Accept: 'application/vnd.live-component+html',
'X-Requested-With': 'XMLHttpRequest',
};

const totalFiles = Object.entries(files).reduce(
Expand Down
5 changes: 5 additions & 0 deletions src/LiveComponent/assets/test/Backend/RequestBuilder.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ describe('buildRequest', () => {
expect(fetchOptions.method).toEqual('GET');
expect(fetchOptions.headers).toEqual({
Accept: 'application/vnd.live-component+html',
'X-Requested-With': 'XMLHttpRequest',
});
});

Expand All @@ -38,6 +39,7 @@ describe('buildRequest', () => {
expect(fetchOptions.headers).toEqual({
Accept: 'application/vnd.live-component+html',
'X-CSRF-TOKEN': '_the_csrf_token',
'X-Requested-With': 'XMLHttpRequest',
});
const body = <FormData>fetchOptions.body;
expect(body).toBeInstanceOf(FormData);
Expand Down Expand Up @@ -100,6 +102,7 @@ describe('buildRequest', () => {
expect(fetchOptions.headers).toEqual({
// no token
Accept: 'application/vnd.live-component+html',
'X-Requested-With': 'XMLHttpRequest',
});
const body = <FormData>fetchOptions.body;
expect(body).toBeInstanceOf(FormData);
Expand Down Expand Up @@ -180,6 +183,7 @@ describe('buildRequest', () => {
expect(fetchOptions.headers).toEqual({
Accept: 'application/vnd.live-component+html',
'X-CSRF-TOKEN': '_the_csrf_token',
'X-Requested-With': 'XMLHttpRequest',
});
const body = <FormData>fetchOptions.body;
expect(body).toBeInstanceOf(FormData);
Expand All @@ -204,6 +208,7 @@ describe('buildRequest', () => {
expect(fetchOptions.headers).toEqual({
Accept: 'application/vnd.live-component+html',
'X-CSRF-TOKEN': '_the_csrf_token',
'X-Requested-With': 'XMLHttpRequest',
});
const body = <FormData>fetchOptions.body;
expect(body).toBeInstanceOf(FormData);
Expand Down

0 comments on commit 9591ea8

Please sign in to comment.