Review Board 1.7.22


Replace the unparseable cruft message "throw 1; < don't be evil' >" constant in client and server with a container config

Review Request #5011 - Created May 4, 2012 and submitted

Marshall Shi
SHINDIG-1765
Reviewers
shindig
ddumont, rbaxter, ssievers
shindig
The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.
However, this "throw 1; < don't be evil' >" string has been hardcoded in:
features/src/main/javascript/features/core.io/io.js
java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

It would be good to extract the message into a container config, so:
- client and server can reuse the same message.
- Shindig consumers can replace the message with their own. 
Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js
Revision 1333012 New Change
[20] 151 lines
[+20]
152
"gadgets.features" : {
152
"gadgets.features" : {
153
  "core.io" : {
153
  "core.io" : {
154
    // Note: ${Cur['gadgets.uri.proxy.path']} is an open proxy. Be careful how you expose this!
154
    // Note: ${Cur['gadgets.uri.proxy.path']} is an open proxy. Be careful how you expose this!
155
    // Note: These urls should be protocol relative (start with //)
155
    // Note: These urls should be protocol relative (start with //)
156
    "proxyUrl" : "//${Cur['default.domain.unlocked.client']}${Cur['gadgets.uri.proxy.path']}?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
156
    "proxyUrl" : "//${Cur['default.domain.unlocked.client']}${Cur['gadgets.uri.proxy.path']}?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
157
    "jsonProxyUrl" : "//${Cur['default.domain.locked.client']}${CONTEXT_ROOT}/gadgets/makeRequest"
157
    "jsonProxyUrl" : "//${Cur['default.domain.locked.client']}${CONTEXT_ROOT}/gadgets/makeRequest",

    
   
158
    // Note: this setting MUST be supplied in every container config object, as there is no default if it is not supplied.

    
   
159
    "unparseableCruft" : "throw 1; < don't be evil' >"
158
  },
160
  },
159
  "views" : {
161
  "views" : {
160
    "profile" : {
162
    "profile" : {
161
      "isOnlyVisible" : false,
163
      "isOnlyVisible" : false,
162
      "urlTemplate" : "http://localhost${CONTEXT_ROOT}/gadgets/profile?{var}",
164
      "urlTemplate" : "http://localhost${CONTEXT_ROOT}/gadgets/profile?{var}",
[+20] [20] 157 lines
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js
Revision 1333012 New Change
 
http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js
Revision 1333012 New Change
 
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
Revision 1333012 New Change
 
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java
Revision 1333012 New Change
 
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java
Revision 1333012 New Change
 
  1. http://svn.apache.org/repos/asf/shindig/trunk/config/container.js: Loading...
  2. http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js: Loading...
  3. http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js: Loading...
  4. http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java: Loading...
  5. http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java: Loading...
  6. http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java: Loading...