Address CVE-2014-4671 (JSONP Flash exploit)

Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question.

2 files changed, 2 insertions, 2 deletions

diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb
index c89b95de3b..1bc7ad3015 100644
--- a/actionpack/test/controller/mime/respond_to_test.rb
+++ b/actionpack/test/controller/mime/respond_to_test.rb
@@ -520,7 +520,7 @@ class RespondToControllerTest < ActionController::TestCase
   def test_json_with_callback_sets_javascript_content_type
     @request.accept = 'application/json'
     get :json_with_callback
-    assert_equal 'alert(JS)', @response.body
+    assert_equal '/**/alert(JS)', @response.body
     assert_equal 'text/javascript', @response.content_type
   end
 
diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb
index de8d1cbd9b..ada978aa11 100644
--- a/actionpack/test/controller/render_json_test.rb
+++ b/actionpack/test/controller/render_json_test.rb
@@ -101,7 +101,7 @@ class RenderJsonTest < ActionController::TestCase
 
   def test_render_json_with_callback
     xhr :get, :render_json_hello_world_with_callback
-    assert_equal 'alert({"hello":"world"})', @response.body
+    assert_equal '/**/alert({"hello":"world"})', @response.body
     assert_equal 'text/javascript', @response.content_type
   end