Marshall Shi created SHINDIG-1765:
-------------------------------------
Summary: Replace the unparseable cruft message "throw 1; < don't
be evil' >" constant in client and server with a container config
Key: SHINDIG-1765
URL: https://issues.apache.org/jira/browse/SHINDIG-1765
Project: Shindig
Issue Type: Improvement
Components: Java
Affects Versions: 2.5.0
Reporter: Marshall Shi
Fix For: 2.5.0
The gadget io request will inject a unparseable cruft message "throw 1; < don't
be evil' >" in the response content intentionally for security reasons.
However, this "throw 1; < don't be evil' >" string has been hardcoded in:
features/src/main/javascript/features/core.io/io.js
java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
It would be good to extract the message into a container config, so:
- client and server can reuse the same message.
- Shindig consumers can replace the message with their own.
The new config can be added into gadgets.features.core.io in container.js, as
shown below
"gadgets.features" : {
"core.io" : {
// Note: ${Cur['gadgets.uri.proxy.path']} is an open proxy. Be careful how
you expose this!
// Note: These urls should be protocol relative (start with //)
"proxyUrl" :
"//${Cur['default.domain.unlocked.client']}${Cur['gadgets.uri.proxy.path']}?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
"jsonProxyUrl" :
"//${Cur['default.domain.locked.client']}${CONTEXT_ROOT}/gadgets/makeRequest",
"unparseableCruft" : "throw 1; < don't be evil' >"
},
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
