Script gets injected into raw controller results.
frekvent-szabolcs opened this issue · 0 comments
frekvent-szabolcs commented
I use a backend controller (implementing HttpGetActionInterface
) to return a CSV file. I trigger the download with a button click. (button in system.xml, block type is a custom AbstractElement
and I changed the button onClick to setLocaltion(...backendUrl->getUrl()...)
).
The file I download this way when the MSP Devtools is enabled get the script tag appended:
If the devtools is disabled, I get the expected CSV file.
I think this issue is similar to #53
Preconditions
Magento: 2.4.6
PHP: 8.1
Steps to reproduce
Backend controller like:
<?php
declare(strict_types=1);
namespace YourNameSpace\YourModule\Controller\Adminhtml\System\Config;
use Magento\Framework\App\Action\HttpGetActionInterface;
use Magento\Framework\App\Config\ScopeConfigInterface;
use Magento\Framework\App\Filesystem\DirectoryList;
use Magento\Framework\App\Response\Http\FileFactory;
use Magento\Framework\App\ResponseInterface;
use Magento\Framework\Controller\Result\Forward;
use Magento\Framework\Controller\Result\RawFactory;
use Magento\Framework\Controller\ResultFactory;
use Magento\Framework\Controller\ResultInterface;
use Magento\Framework\Exception\FileSystemException;
use Magento\Framework\Filesystem;
use Magento\Framework\Filesystem\Driver\File;
class Download implements HttpGetActionInterface
{
private RawFactory $resultRawFactory;
private FileFactory $fileFactory;
private Filesystem $filesystem;
private File $fileDriver;
private ResultFactory $resultFactory;
private ScopeConfigInterface $scopeConfig;
public function __construct(
\Magento\Backend\App\Action\Context $context,
RawFactory $resultRawFactory,
FileFactory $fileFactory,
Filesystem $filesystem,
File $fileDriver,
ResultFactory $resultFactory,
ScopeConfigInterface $scopeConfig
)
{
$this->resultRawFactory = $resultRawFactory;
$this->fileFactory = $fileFactory;
$this->filesystem = $filesystem;
$this->fileDriver = $fileDriver;
$this->resultFactory = $resultFactory;
$this->scopeConfig = $scopeConfig;
}
/**
*
* @throws FileSystemException
* @throws \Exception
*/
public function execute(): ResponseInterface|ResultInterface
{
$mediaPath = $this->filesystem->getDirectoryRead(DirectoryList::MEDIA)->getAbsolutePath();
$uploadDir = 'YourNameSpace_on_site_install/';
$currentFile = $this->scopeConfig->getValue("YourNameSpace_catalog/on_site_install/on_site_install_file_upload", ScopeConfigInterface::SCOPE_TYPE_DEFAULT);
$filePath = $mediaPath.$uploadDir.$currentFile;
if (!$this->fileDriver->isExists($filePath)) {
/** @var Forward $resultForward */
$resultForward = $this->resultFactory->create(ResultFactory::TYPE_FORWARD);
$resultForward->forward('noroute');
return $resultForward;
}
$content = $this->fileDriver->fileGetContents($filePath);
$this->fileFactory->create(
'on-site-install.csv',
$content,
DirectoryList::MEDIA,
'text/csv' // <--- IF I CHANGE THIS TO 'application/json' I DO NOT GET THE SCRIPT TAG INJECTED !!
);
return $this->resultRawFactory->create();
}
}
Expected result
It should not inject script code into raw files. Maybe skip media types like text/*
similar to application/json
.