Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #44 from benmanns/hotfix/jsonp-escape-u2028-and-u2…

…029-for-1.8

Escape \u2028 and \u2029 for 1.8
  • Loading branch information...
commit 42b92b7f56f96dab3cbfd371ca8a63d04beea78d 2 parents 84a4bdf + 75b4ef8
@rkh rkh authored
Showing with 23 additions and 3 deletions.
  1. +13 −1 lib/rack/contrib/jsonp.rb
  2. +10 −2 test/spec_rack_jsonp.rb
View
14 lib/rack/contrib/jsonp.rb
@@ -10,6 +10,18 @@ class JSONP
VALID_JS_VAR = /[a-zA-Z_$][\w$]*/
VALID_CALLBACK = /\A#{VALID_JS_VAR}(?:\.?#{VALID_JS_VAR})*\z/
+ # These hold the Unicode characters \u2028 and \u2029.
+ #
+ # They are defined in constants for Ruby 1.8 compatibility.
+ #
+ # In 1.8
+ # "\u2028" # => "u2028"
+ # "\u2029" # => "u2029"
+ # In 1.9
+ # "\342\200\250" # => "\u2028"
+ # "\342\200\251" # => "\u2029"
+ U2028, U2029 = ("\u2028" == 'u2028') ? ["\342\200\250", "\342\200\251"] : ["\u2028", "\u2029"]
+
def initialize(app)
@app = app
end
@@ -83,7 +95,7 @@ def pad(callback, response, body = "")
# replacing them with the escaped version. This should be safe because
# according to the JSON spec, these characters are *only* valid inside
# a string and should therefore not be present any other places.
- body << s.to_s.gsub("\u2028", '\u2028').gsub("\u2029", '\u2029')
+ body << s.to_s.gsub(U2028, '\u2028').gsub(U2029, '\u2029')
end
# https://github.com/rack/rack-contrib/issues/46
View
12 test/spec_rack_jsonp.rb
@@ -53,12 +53,20 @@
end
specify "should not allow literal U+2028 or U+2029" do
- test_body = "{\"bar\":\"\u2028 and \u2029\"}"
+ test_body = unless "\u2028" == 'u2028'
+ "{\"bar\":\"\u2028 and \u2029\"}"
+ else
+ "{\"bar\":\"\342\200\250 and \342\200\251\"}"
+ end
callback = 'foo'
app = lambda { |env| [200, {'Content-Type' => 'application/json'}, [test_body]] }
request = Rack::MockRequest.env_for("/", :params => "foo=bar&callback=#{callback}")
body = Rack::JSONP.new(app).call(request).last
- body.join.should.not.match(/\u2028|\u2029/)
+ unless "\u2028" == 'u2028'
+ body.join.should.not.match(/\u2028|\u2029/)
+ else
+ body.join.should.not.match(/\342\200\250|\342\200\251/)
+ end
end
context "but is empty" do
Please sign in to comment.
Something went wrong with that request. Please try again.