I am writing an angularjs app which is consuming an api built with Laravel 4.1. I am looking to protect against json injection.
One method built into angularjs to fix this is to prefix all server json responses with the following string ")]}',\n"
.
The angularjs $http service will automatically strip this string from all json responses.
I don't want to have to attach this string manually to every json response which my api serves.
Is there a way to prefix this string whenever my controller returns a json Response object?
return Response::json($prefix.$json, 200);
If you want to prepend/append data to the response you can use filters.
Route::filter('json.protect',function($route,$request,$response = null)
{
if($response instanceof \Illuminate\Http\JsonResponse) {
$json = ")]}',\n" . $response->getContent();
return $response->setContent($json);
}
});
You can then attach the filter to the route using the after
property.
Route::get('/test', array('after' =>'json.protect', function()
{
$test = array(
"foo" => "bar",
"bar" => "foo",
);
return Response::json($test);
}));
Alternatively, if you don't want to attach a filter to each route that outputs json, then it is also possible to utilise the App::after
hook.
App::after(function($request, $response)
{
if($response instanceof \Illuminate\Http\JsonResponse) {
$json = ")]}',\n" . $response->getContent();
return $response->setContent($json);
}
});
I know this question was asked a long time ago, but to help who needs this approach with Laravel 5 and AngularJS this can be done by creating a Response Macro, so in your ResponseMacroServiceProvider
class you'd define boot
method like:
public function boot()
{
Response::macro('angular', function($value, $status = 200)
{
$response = Response::make($value, $status);
$json = ")]}',\n" . $response->getContent();
return $response->setContent($json);
});
}
Then simply call the response()
helper function within your controller:
return response()->angular(['item' => 'value']);
This should work:
//in app/filters.php
App::after(function($request, $response)
{
if($request->ajax()) $response = ")]}',\n".$response;
});