diff options
| -rw-r--r-- | src/service/http.js | 3 | ||||
| -rw-r--r-- | test/service/httpSpec.js | 10 |
2 files changed, 12 insertions, 1 deletions
diff --git a/src/service/http.js b/src/service/http.js index f06b88fd..3b207a13 100644 --- a/src/service/http.js +++ b/src/service/http.js @@ -65,7 +65,8 @@ function $HttpProvider() { // transform in-coming reponse data transformResponse: function(data) { if (isString(data)) { - if (/^\)\]\}',\n/.test(data)) data = data.substr(6); + // strip json vulnerability protection prefix + data = data.replace(/^\)\]\}',?\n/, ''); if (/^\s*[\[\{]/.test(data) && /[\}\]]\s*$/.test(data)) data = fromJson(data, true); } diff --git a/test/service/httpSpec.js b/test/service/httpSpec.js index ad83bdf8..b39ac3d7 100644 --- a/test/service/httpSpec.js +++ b/test/service/httpSpec.js @@ -743,6 +743,16 @@ describe('$http', function() { expect(callback).toHaveBeenCalledOnce(); expect(callback.mostRecentCall.args[0]).toEqual([1, 'abc', {foo:'bar'}]); }); + + + it('should deserialize json with security prefix ")]}\'"', function() { + $httpBackend.expect('GET', '/url').respond(')]}\'\n\n[1, "abc", {"foo":"bar"}]'); + $http({method: 'GET', url: '/url'}).on('200', callback); + $httpBackend.flush(); + + expect(callback).toHaveBeenCalledOnce(); + expect(callback.mostRecentCall.args[0]).toEqual([1, 'abc', {foo:'bar'}]); + }); }); |