Protection against rosetta flash attacks

[ghost]

This is a rather important security patch. It adds a comment at the beginning of jsonp responses. Instead of

fos.Router.setData(...)

you get

/**/fos.Router.setData(...)

[guilliamxavier]

Since the current, maintained and stable version is 1.6 (latest 1.6.2) and there is no stable 2.0 yet, could this "security patch" be also merged in branch 1.x, and a new tag (1.6.3 or maybe 1.7.0) released? (If not, could someone please explain why?) Thanks

[guilliamxavier]

@tobias-93 and @GuilhemN (based on symfony/symfony-docs#8250): following the example of #286, I have submitted a PR in the hope it will help this be merged to 1.x ^{(unless you plan to release a stable 2.0 in the [very] short term?)}, see #292 (actually 4 PRs, 291 to 294, all really straightforward)

[tobias-93]

@guilliamxavier Thank you for your good work, they all look good to me. However, I'm not in the position to merge this (the 'issue' in symfony/symfony-docs#8250 isn't closed either)... Maybe @GuilhemN or @willdurand could have a look?

[GuilhemN]

@tobias-93 sorry I don't have much time to dedicate to this, I added you as collaborator so that you can merge it if you think it's ready.

[tobias-93]

@GuilhemN That's ok. Thank you, I'll have a look!

[guilliamxavier]

@tobias-93 Many thanks for the backports and the new tag/release, I just successfully received the fixes with a composer update (to 1.6.3) :)