Merge pull request #3314 from rhelmer/sanitize-jsonp

better sanitize jsonp
ether · Jan 31, 2018 · 626e58c · 626e58c
2 parents d7c93b0 + f56936c
commit 626e58c
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js
@@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) {
     apiLogger.info("RESPONSE, " + req.params.func + ", " + response);
 
     //is this a jsonp call, if yes, add the function call
-    if(req.query.jsonp)
+    if(req.query.jsonp && isVarName(response))
       response = req.query.jsonp + "(" + response + ")";
 
     res._____send(response);

diff --git a/src/package.json b/src/package.json
@@ -43,7 +43,8 @@
                       "jsonminify"              : "0.4.1",
                       "measured"                : "1.1.0",
                       "mocha"                   : "2.4.5",
-                      "supertest"               : "1.2.0"
+                      "supertest"               : "1.2.0",
+                      "is-var-name"             : "1.0.0"
                      },
   "bin":             { "etherpad-lite": "./node/server.js" },
   "devDependencies": {