From 85a7b5108dca057fa62052ca2cba07b3f9bdd601 Mon Sep 17 00:00:00 2001
From: struckma <stephan.struckmann@t-online.de>
Date: Tue, 17 May 2022 10:29:08 +0200
Subject: [PATCH] fix a potential security risk

This a proposal only, but `jsonlite::fromJSON`, by default, also supports URLs as arguments and will then fetch these parsing the result instead of parsing its argument. If some limesurvey server would somehow be tricked in delivering a URL here, this could set also the API clients on risk, e.g. using CSRF.
---
 R/call_limer.R | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/R/call_limer.R b/R/call_limer.R
index 21a4783..98c5e3d 100644
--- a/R/call_limer.R
+++ b/R/call_limer.R
@@ -36,5 +36,5 @@ call_limer <- function(method, params = list(), ...) {
   r <- httr::POST(getOption('lime_api'), httr::content_type_json(),
             body = jsonlite::toJSON(body.json, auto_unbox = TRUE), ...)
 
-  return(jsonlite::fromJSON(httr::content(r, as='text', encoding="utf-8"))$result)   # incorporated fix by petrbouchal
+  return(jsonlite::parse_json(httr::content(r, as='text', encoding="utf-8"))$result)   # incorporated fix by petrbouchal
 }