Protection against rosetta flash attacks

Author: Arnoldas Grigutis

Controller/Controller.php

@@ -110,7 +110,7 @@ public function indexAction(Request $request, $_format)
                 throw new HttpException(400, 'Invalid JSONP callback value');
             }
 
-            $content = $callback.'('.$content.');';
+            $content = '/**/' . $callback . '(' . $content . ');';
         }
 
         $response = new Response($content, 200, array('Content-Type' => $request->getMimeType($_format)));

Tests/Controller/ControllerTest.php

@@ -66,7 +66,7 @@ public function testGenerateWithCallback($callback)
         $response   = $controller->indexAction($this->getRequest('/', 'GET', array('callback' => $callback)), 'json');
 
         $this->assertEquals(
-            sprintf('%s({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $callback),
+            sprintf('/**/%s({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $callback),
             $response->getContent()
         );
     }