Browser link – Random IT Utensils https://blog.adamfurmanek.pl IT, operating systems, maths, and more. Sun, 02 Apr 2017 08:23:59 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 Browser link injecting into MVC action response https://blog.adamfurmanek.pl/2017/04/08/browser-link-injecting-into-mvc-action-response/ https://blog.adamfurmanek.pl/2017/04/08/browser-link-injecting-into-mvc-action-response/#respond Sat, 08 Apr 2017 08:00:51 +0000 https://blog.adamfurmanek.pl/?p=2111 Continue reading Browser link injecting into MVC action response]]> Imagine that you have the following action in MVC 5 controller:

[HttpGet]
public string GetData()
{
	return JsonConvert.SerializeObject(
		new JObject(
			new JProperty("message", "Ok"), 
			new JProperty("data", new JObject(
				new JProperty("value", "< /body>")
			))
		)
	);
}

We create simple object on a fly, serialize it to string and return. What you might actually get? Well:

{"message":"Ok","data":{"value":"
<!-- Visual Studio Browser Link -->
< script type="application/json" id="__browserLink_initializationData">
    {"appName":"Opera"}
< /script>
< script type="text/javascript" src="http://localhost:55192/9ff0617132d944e4bb76030619552ec4/browserLink" async="async"></script>
<!-- End Browser Link -->

< /body>"}}

So it looks like browser link decided to inject itself just before body ending tag.

Why did it do so? If we check response headers, we will see the following one:

Content-Type:text/html; charset=utf-8

So application decides to send html (instead of javascript) so browser link decides to inject itself. Solution is obvious:

Response.ContentType = "text/javascript";

]]>
https://blog.adamfurmanek.pl/2017/04/08/browser-link-injecting-into-mvc-action-response/feed/ 0