Address CVE-2014-4671 (JSONP Flash exploit)

Adds a comment before JSONP callbacks. See http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more details on the exploit in question.
author: Greg Campbell <gregc@twitter.com> 2014-07-09 11:33:09 -0700
committer: Greg Campbell <gregc@twitter.com> 2014-07-09 11:37:19 -0700
commit: 4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6 (patch)
tree: 2d1628444e02656f6c52a5f030c1ff3d4f7ff2aa /actionpack/test/controller/render_json_test.rb
parent: 4c34ad37b2e15731ecf22686fa98755ca0c4757e (diff)
download: rails-4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6.tar.gz
rails-4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6.tar.bz2
rails-4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb
index de8d1cbd9b..ada978aa11 100644
--- a/actionpack/test/controller/render_json_test.rb
+++ b/actionpack/test/controller/render_json_test.rb
@@ -101,7 +101,7 @@ class RenderJsonTest < ActionController::TestCase
 
   def test_render_json_with_callback
     xhr :get, :render_json_hello_world_with_callback
-    assert_equal 'alert({"hello":"world"})', @response.body
+    assert_equal '/**/alert({"hello":"world"})', @response.body
     assert_equal 'text/javascript', @response.content_type
   end
author	Greg Campbell <gregc@twitter.com>	2014-07-09 11:33:09 -0700
committer	Greg Campbell <gregc@twitter.com>	2014-07-09 11:37:19 -0700
commit	4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6 (patch)
tree	2d1628444e02656f6c52a5f030c1ff3d4f7ff2aa /actionpack/test/controller/render_json_test.rb
parent	4c34ad37b2e15731ecf22686fa98755ca0c4757e (diff)
download	rails-4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6.tar.gz rails-4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6.tar.bz2 rails-4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6.zip