Make content type detection more robust.

Someone could have a detector that wants to find text/html and the previous change would break that.
cakephp · Jun 25, 2022 · d936dd5 · d936dd5
1 parent 97d3982
commit d936dd5
Showing 1 changed file with 23 additions and 4 deletions.
diff --git a/src/Http/ServerRequest.php b/src/Http/ServerRequest.php
@@ -129,7 +129,12 @@ class ServerRequest implements ServerRequestInterface
         'ssl' => ['env' => 'HTTPS', 'options' => [1, 'on']],
         'ajax' => ['env' => 'HTTP_X_REQUESTED_WITH', 'value' => 'XMLHttpRequest'],
         'json' => ['accept' => ['application/json'], 'param' => '_ext', 'value' => 'json'],
-        'xml' => ['accept' => ['application/xml', 'text/xml'], 'param' => '_ext', 'value' => 'xml'],
+        'xml' => [
+            'accept' => ['application/xml', 'text/xml'],
+            'exclude' => ['text/html'],
+            'param' => '_ext',
+            'value' => 'xml'
+        ],
     ];
 
     /**
@@ -554,11 +559,25 @@ protected function _acceptHeaderDetector(array $detect): bool
     {
         $content = new ContentTypeNegotiation();
         $options = $detect['accept'];
-        // We add text/html as the browsers often combine xml + html types together.
-        $options[] = 'text/html';
+
+        // Some detectors overlap with the default browser Accept header
+        // For these types we use an exclude list to refine our content type
+        // detection.
+        $exclude = null;
+        if (!empty($detect['exclude'])) {
+            $exclude = $detect['exclude'];
+            $options = array_merge($options, $exclude);
+        }
+
         $accepted = $content->preferredType($this, $options);
+        if ($accepted === null) {
+            return false;
+        }
+        if ($exclude && in_array($accepted, $exclude, true)) {
+            return false;
+        }
 
-        return $accepted !== null && $accepted != 'text/html';
+        return true;
     }
 
     /**