ExtraController return text/html instead application/json

  • Functions list_terms() and list_posts() return Json content, but in Response header there’s a text/html Content-Type instead of application/json.

    This is potential XSS vulnerability.

    [General]
    Request URL:XXX/wp-admin/admin-ajax.php
    Request Method:POST
    Status Code:200 OK
    Referrer Policy:no-referrer-when-downgrade

    [Request Header]
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Connection: keep-alive
    Content-Length: 44
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    Accept-Encoding: gzip, deflate, br
    Accept-Language: pl,en-US;q=0.8,en;q=0.6,de-DE;q=0.4,de;q=0.2

    [Response Header]
    HTTP/1.1 200 OK
    Date: Thu, 08 Jun 2017 11:39:17 GMT
    Server: Apache/2.4.10 (Debian)
    Access-Control-Allow-Credentials: true
    X-Robots-Tag: noindex
    X-Content-Type-Options: nosniff
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Frame-Options: SAMEORIGIN
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 14859
    Keep-Alive: timeout=5, max=93
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8 <— Should be: application/json

Viewing 1 replies (of 1 total)
  • Plugin Author Brecht

    (@brechtvds)

    I’m a bit confused. What functions are you referring to?
    We don’t use list_terms or list_posts anywhere in our code.

    Kind regards,
    Brecht

Viewing 1 replies (of 1 total)
  • The topic ‘ExtraController return text/html instead application/json’ is closed to new replies.