Charset for JSON exchanges (#6710)

Apply some minor recommendations from Snyk scanner

lib/Minz/Request.php

@@ -440,7 +440,7 @@ class Minz_Request {
 	 * Allows receiving POST data as application/json
 	 */
 	private static function initJSON(): void {
-		if ('application/json' !== self::extractContentType()) {
+		if (!str_starts_with(self::extractContentType(), 'application/json')) {
 			return;
 		}
 		$ORIGINAL_INPUT = file_get_contents('php://input', false, null, 0, 1048576);

p/scripts/category.js

@@ -143,7 +143,7 @@ function init_draggable() {
 					dragFeedId = '';
 					dragHtml = '';
 				};
-				req.setRequestHeader('Content-Type', 'application/json');
+				req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 				req.send(JSON.stringify({
 					f_id: dragFeedId,
 					c_id: ul_dropzone.getAttribute('data-cat-id'),

p/scripts/global_view.js

@@ -49,7 +49,7 @@ function load_panel(link) {
 
 				const req2 = new XMLHttpRequest();
 				req2.open('POST', b.formAction, false);
-				req2.setRequestHeader('Content-Type', 'application/json');
+				req2.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 				req2.send(JSON.stringify({
 					_csrf: context.csrf,
 				}));

p/scripts/main.js

@@ -85,8 +85,7 @@ function numberFormat(nStr) {
 		return 0;
 	}
 	// http://www.mredkj.com/javascript/numberFormat.html
-	nStr += '';
-	const x = nStr.split('.');
+	const x = String(nStr).split('.');
 	const x2 = x.length > 1 ? '.' + x[1] : '';
 	const rgx = /(\d+)(\d{3})/;
 	let x1 = x[0];
@@ -279,7 +278,7 @@ function send_mark_read_queue(queue, asRead, callback) {
 			callback();
 		}
 	};
-	req.setRequestHeader('Content-Type', 'application/json');
+	req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 	req.send(JSON.stringify({
 		ajax: true,
 		_csrf: context.csrf,
@@ -392,7 +391,7 @@ function mark_favorite(div) {
 
 		delete pending_entries[div.id];
 	};
-	req.setRequestHeader('Content-Type', 'application/json');
+	req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 	req.send(JSON.stringify({
 		ajax: true,
 		_csrf: context.csrf,
@@ -544,7 +543,8 @@ function prev_feed() {
 			continue;
 		}
 		if (feed.dataset.unread != 0) {
-			return delayedClick(feed.querySelector('a.item-title'));
+			delayedClick(feed.querySelector('a.item-title'));
+			return;
 		} else if (adjacent === null) {
 			adjacent = feed;
 		}
@@ -573,7 +573,8 @@ function next_feed() {
 			continue;
 		}
 		if (feed.dataset.unread != 0) {
-			return delayedClick(feed.querySelector('a.item-title'));
+			delayedClick(feed.querySelector('a.item-title'));
+			return;
 		} else if (adjacent === null) {
 			adjacent = feed;
 		}
@@ -1260,7 +1261,7 @@ function init_stream(stream) {
 						loadDynamicTags(checkboxTag.closest('div.dropdown'));
 					}
 				};
-				req.setRequestHeader('Content-Type', 'application/json');
+				req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 				req.send(JSON.stringify({
 					_csrf: context.csrf,
 					id_tag: tagId,
@@ -1421,7 +1422,7 @@ function refreshFeed(feeds, feeds_count) {
 			req2.onloadend = function (e) {
 				delayedFunction(function () { location.reload(); });
 			};
-			req2.setRequestHeader('Content-Type', 'application/json');
+			req2.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 			req2.send(JSON.stringify({
 				_csrf: context.csrf,
 				noCommit: 0,
@@ -1430,7 +1431,7 @@ function refreshFeed(feeds, feeds_count) {
 			refreshFeed(feeds, feeds_count);
 		}
 	};
-	req.setRequestHeader('Content-Type', 'application/json');
+	req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 	req.send(JSON.stringify({
 		_csrf: context.csrf,
 		noCommit: 1,
@@ -1446,7 +1447,7 @@ function refreshFeeds(json) {
 		req2.onloadend = function (e) {
 			context.ajax_loading = false;
 		};
-		req2.setRequestHeader('Content-Type', 'application/json');
+		req2.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 		req2.send(JSON.stringify({
 			_csrf: context.csrf,
 			noCommit: 0,
@@ -1481,7 +1482,7 @@ function refreshDynamicOpml(categories, categories_count, next) {
 			refreshDynamicOpml(categories, categories_count, next);
 		}
 	};
-	req.setRequestHeader('Content-Type', 'application/json');
+	req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 	req.send(JSON.stringify({
 		_csrf: context.csrf,
 		noCommit: 1,
@@ -1552,7 +1553,7 @@ function init_actualize() {
 				refreshFeeds(json);
 			}
 		};
-		req.setRequestHeader('Content-Type', 'application/json');
+		req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
 		req.send(JSON.stringify({
 			_csrf: context.csrf,
 		}));