fix(res.set): remove implicit mime lookup and charset injection for Content-Type #7146
Open
Pandey-Krishnaa wants to merge 1 commit intoexpressjs:masterfrom
Open
fix(res.set): remove implicit mime lookup and charset injection for Content-Type #7146Pandey-Krishnaa wants to merge 1 commit intoexpressjs:masterfrom
Pandey-Krishnaa wants to merge 1 commit intoexpressjs:masterfrom
Conversation
…ontent-Type
Previously, res.set('Content-Type', value) silently called mime.contentType()
on the value, which would:
- perform a mime-type lookup if the value contained no '/' (e.g. 'html' → 'text/html; charset=utf-8')
- append a charset if none was present (e.g. 'text/plain' → 'text/plain; charset=utf-8')
This hidden mutation was unexpected: res.set is a generic header setter and
should not transform user input. res.type() already exists as the dedicated
API for mime-lookup + charset behaviour, and callers that want it should use
that method explicitly.
Changes:
- Remove the Content-Type special-case block from res.set/res.header
- res.json now explicitly sets 'application/json; charset=utf-8' so its
behaviour is unchanged without relying on the removed magic
- Update tests to reflect the new pass-through semantics of res.set
Fixes: expressjs#7034
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7034
res.set('Content-Type', value)was silently callingmime.contentType()on the value, which would:/(e.g.'html'→'text/html; charset=utf-8')'text/plain'→'text/plain; charset=utf-8')This hidden mutation is unexpected —
res.setis a generic header setter and should not transform user input.Solution
Remove the Content-Type special-casing from
res.set/res.header. Users who want mime lookup + charset behaviourshould use
res.type(), which already exists for exactly this purpose.Changes
mime.contentType()block fromres.setres.jsonnow explicitly sets'application/json; charset=utf-8'so its behaviour is unchangedres.setBreaking Change
res.set('Content-Type', 'text/plain')will no longer silently becometext/plain; charset=utf-8. Useres.type('text/plain')if charset injection is desired.