Permalink
Browse files

Remove unsafe characters from JSONP callback names.

This prevents JSONP callbacks from being used as an XSS vector. The set
of acceptable characters is intentionally more limited than the full
set of valid characters in JS identifiers in order to avoid complexity,
but this could be expanded in the future if necessary.
  • Loading branch information...
1 parent 1b854f4 commit 7791169810a4d0d02f0585fcc534e82fb3b69f55 @rgrove rgrove committed with tj Jan 13, 2011
Showing with 5 additions and 1 deletion.
  1. +1 −1 lib/express/response.js
  2. +4 −0 test/response.test.js
@@ -85,7 +85,7 @@ http.ServerResponse.prototype.send = function(body, headers, status){
body = JSON.stringify(body);
if (this.req.query.callback && this.app.settings['jsonp callback']) {
this.header('Content-Type', 'text/javascript');
- body = this.req.query.callback + '(' + body + ');';
+ body = this.req.query.callback.replace(/[^\w$.]/g, '') + '(' + body + ');';
}
}
break;
@@ -64,6 +64,10 @@ module.exports = {
{ body: 'baz({"foo":"bar"});', status: 201, headers: { 'Content-Type': 'text/javascript', 'X-Foo': 'baz' }});
assert.response(app,
+ { url: '/jsonp?callback=illegal()[]=;' },
+ { body: 'illegal({"foo":"bar"});', status: 201, headers: { 'Content-Type': 'text/javascript', 'X-Foo': 'baz' }});
+
+ assert.response(app,
{ url: '/json?callback=test' },
{ body: '{"foo":"bar"}', status: 201, headers: { 'Content-Type': 'application/json', 'X-Foo': 'baz' }});

0 comments on commit 7791169

Please sign in to comment.