Permalink
Browse files

Fix for ForeverFrameTransport not escaping inline </script> elements

Fixes #413.
  • Loading branch information...
1 parent e7672eb commit a9beb7cdffbad5b5ab42ccf87dbc7c99ac20f29c @drub0y drub0y committed May 23, 2012
Showing with 8 additions and 0 deletions.
  1. +8 −0 SignalR/Transports/ForeverFrameTransport.cs
@@ -46,8 +46,11 @@ public override void KeepAlive()
public override Task Send(PersistentResponse response)
{
var data = JsonSerializer.Stringify(response);
+
OnSending(data);
+ data = EscapeAnyInlineScriptTags(data);
+
var script = "<script>r(c, " + data + ");</script>\r\n";
if (_isDebug)
{
@@ -63,5 +66,10 @@ protected override Task InitializeResponse(ITransportConnection connection)
.Then(initScript => Context.Response.WriteAsync(initScript),
_initPrefix + Context.Request.QueryString["frameId"] + _initSuffix);
}
+
+ private static string EscapeAnyInlineScriptTags(string input)
+ {
+ return input.Replace("</script>", "</\"+\"script>");
+ }
}
}

0 comments on commit a9beb7c

Please sign in to comment.