fix($http): don't parse templates as JSON

The default behaviour breaks a wide variety of custom interpolation
markers. Even if the JSON text regexps were strengthened to closer
match the standard JSON format, it would still limit the possibilities
of different custom interpolation markers.

Instead, $http will no longer parse JSON if the response Content-Type header
does not include the term 'json', or if the $templateCache is used. For
inline templates, use the `content-type="json"` attribute to ensure that
inline JSON templates are parsed.

BREAKING CHANGE: Previously, responses would be parsed as JSON if their
content looked vaguely like JSON. Now, they are only parsed as JSON if their
Content-Type response header contains the term 'json', and if they are not
coming from the $templateCache.

Closes angular#5756
Closes angular#2973

Author: caitp

src/ng/http.js

@@ -91,11 +91,13 @@ function $HttpProvider() {
 
   var defaults = this.defaults = {
     // transform incoming response data
-    transformResponse: [function(data) {
+    transformResponse: [function(data, headers) {
       if (isString(data)) {
         // strip json vulnerability protection prefix
+        var contentType = isFunction(headers) && headers('Content-Type');
         data = data.replace(PROTECTION_PREFIX, '');
-        if (JSON_START.test(data) && JSON_END.test(data))
+        if (JSON_START.test(data) && JSON_END.test(data) &&
+            (contentType && contentType.indexOf('json') >= 0))
           data = fromJson(data);
       }
       return data;
@@ -133,7 +135,8 @@ function $HttpProvider() {
   var responseInterceptorFactories = this.responseInterceptors = [];
 
   this.$get = ['$httpBackend', '$browser', '$cacheFactory', '$rootScope', '$q', '$injector',
-      function($httpBackend, $browser, $cacheFactory, $rootScope, $q, $injector) {
+      '$templateCache',
+      function($httpBackend, $browser, $cacheFactory, $rootScope, $q, $injector, $templateCache) {
 
     var defaultCache = $cacheFactory('$http');
 

test/ng/httpSpec.js

@@ -1014,8 +1014,10 @@ describe('$http', function() {
 
         describe('default', function() {
 
-          it('should deserialize json objects', function() {
-            $httpBackend.expect('GET', '/url').respond('{"foo":"bar","baz":23}');
+          it('should deserialize json objects with json content-type', function() {
+            $httpBackend.expect('GET', '/url').respond('{"foo":"bar","baz":23}', {
+              'Content-Type': 'application/json'
+            });
             $http({method: 'GET', url: '/url'}).success(callback);
             $httpBackend.flush();
 
@@ -1024,8 +1026,10 @@ describe('$http', function() {
           });
 
 
-          it('should deserialize json arrays', function() {
-            $httpBackend.expect('GET', '/url').respond('[1, "abc", {"foo":"bar"}]');
+          it('should deserialize json arrays with json content-type', function() {
+            $httpBackend.expect('GET', '/url').respond('[1, "abc", {"foo":"bar"}]', {
+              'Content-Type': 'application/json'
+            });
             $http({method: 'GET', url: '/url'}).success(callback);
             $httpBackend.flush();
 
@@ -1034,8 +1038,10 @@ describe('$http', function() {
           });
 
 
-          it('should deserialize json with security prefix', function() {
-            $httpBackend.expect('GET', '/url').respond(')]}\',\n[1, "abc", {"foo":"bar"}]');
+          it('should deserialize json with security prefix with json content-type', function() {
+            $httpBackend.expect('GET', '/url').respond(')]}\',\n[1, "abc", {"foo":"bar"}]', {
+              'Content-Type': 'application/json'
+            });
             $http({method: 'GET', url: '/url'}).success(callback);
             $httpBackend.flush();
 
@@ -1044,8 +1050,10 @@ describe('$http', function() {
           });
 
 
-          it('should deserialize json with security prefix ")]}\'"', function() {
-            $httpBackend.expect('GET', '/url').respond(')]}\'\n\n[1, "abc", {"foo":"bar"}]');
+          it('should deserialize json with security prefix ")]}\'" with json content-type', function() {
+            $httpBackend.expect('GET', '/url').respond(')]}\'\n\n[1, "abc", {"foo":"bar"}]', {
+              'Content-Type': 'application/json'
+            });
             $http({method: 'GET', url: '/url'}).success(callback);
             $httpBackend.flush();
 
@@ -1054,8 +1062,10 @@ describe('$http', function() {
           });
 
 
-          it('should not deserialize tpl beginning with ng expression', function() {
-            $httpBackend.expect('GET', '/url').respond('{{some}}');
+          it('should not deserialize tpl beginning with ng expression with json content-type', function() {
+            $httpBackend.expect('GET', '/url').respond('{{some}}', {
+              'Content-Type': 'application/json'
+            });
             $http.get('/url').success(callback);
             $httpBackend.flush();
 
@@ -1065,6 +1075,16 @@ describe('$http', function() {
         });
 
 
+        it('should not deserialize tpl from $templateCache', inject(function($templateCache, $rootScope) {
+          $templateCache.put('foo.json', '{ "foo": "bar" }');
+          $http.get('foo.json', { cache: $templateCache }).success(callback);
+          $rootScope.$digest();
+
+          expect(callback).toHaveBeenCalledOnce();
+          expect(callback.mostRecentCall.args[0]).toBe('{ "foo": "bar" }');
+        }));
+
+
         it('should have access to response headers', function() {
           $httpBackend.expect('GET', '/url').respond(200, 'response', {h1: 'header1'});
           $http.get('/url', {

test/ngResource/resourceSpec.js

@@ -534,7 +534,9 @@ describe("resource", function() {
   it('should exercise full stack', function() {
     var Person = $resource('/Person/:id');
 
-    $httpBackend.expect('GET', '/Person/123').respond('\n{\n"name":\n"misko"\n}\n');
+    $httpBackend.expect('GET', '/Person/123').respond('\n{\n"name":\n"misko"\n}\n', {
+      'Content-Type': 'application/json'
+    });
     var person = Person.get({id:123});
     $httpBackend.flush();
     expect(person.name).toEqual('misko');