Merge pull request #163 from fredrikstave/master

Seldaek · web-flow · commit 0b964b665016 · 2021-04-20T10:27:05.000+02:00
Sanitize response message for unathorized headers
diff --git a/EventListener/CorsListener.php b/EventListener/CorsListener.php
@@ -176,8 +176,9 @@ protected function getPreflightResponse(Request $request, array $options): Respo
                     continue;
                 }
                 if (!in_array($header, $options['allow_headers'], true)) {
+                    $sanitizedMessage = htmlentities('Unauthorized header '.$header, ENT_QUOTES, 'UTF-8');
                     $response->setStatusCode(400);
-                    $response->setContent('Unauthorized header '.$header);
+                    $response->setContent($sanitizedMessage);
                     break;
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -176,8 +176,9 @@ protected function getPreflightResponse(Request $request, array $options): Respo`
`176`	`176`	`continue;`
`177`	`177`	`}`
`178`	`178`	`if (!in_array($header, $options['allow_headers'], true)) {`
	`179`	`+ $sanitizedMessage = htmlentities('Unauthorized header '.$header, ENT_QUOTES, 'UTF-8');`
`179`	`180`	`$response->setStatusCode(400);`
`180`		`- $response->setContent('Unauthorized header '.$header);`
	`181`	`+ $response->setContent($sanitizedMessage);`
`181`	`182`	`break;`
`182`	`183`	`}`
`183`	`184`	`}`