Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Ignore callback if empty

  • Loading branch information...
commit 8480e96d2c706728c24028b307ff2bd502bd3ef1 1 parent 1dba537
@mtodd mtodd authored
Showing with 14 additions and 3 deletions.
  1. +3 −3 lib/rack/contrib/jsonp.rb
  2. +11 −0 test/spec_rack_jsonp.rb
View
6 lib/rack/contrib/jsonp.rb
@@ -25,14 +25,14 @@ def call(env)
if has_callback?(request)
callback = request.params['callback']
- return bad_request unless callback && valid_callback?(callback)
+ return bad_request unless valid_callback?(callback)
end
status, headers, response = @app.call(env)
headers = HeaderHash.new(headers)
- if is_json?(headers) && has_callback?(request) && callback
+ if is_json?(headers) && has_callback?(request)
response = pad(callback, response)
# No longer json, its javascript!
@@ -55,7 +55,7 @@ def is_json?(headers)
end
def has_callback?(request)
- request.params.include?('callback')
+ request.params.include?('callback') and not request.params['callback'].empty?
end
# See:
View
11 test/spec_rack_jsonp.rb
@@ -52,6 +52,17 @@
headers['Content-Type'].should.equal('application/javascript')
end
+ context "but is empty" do
+ specify "should " do
+ test_body = '{"bar":"foo"}'
+ callback = ''
+ app = lambda { |env| [200, {'Content-Type' => 'application/json'}, [test_body]] }
+ request = Rack::MockRequest.env_for("/", :params => "foo=bar&callback=#{callback}")
+ body = Rack::JSONP.new(app).call(request).last
+ body.should.equal ['{"bar":"foo"}']
+ end
+ end
+
context "with XSS vulnerability attempts" do
def request(callback, body = '{"bar":"foo"}')
app = lambda { |env| [200, {'Content-Type' => 'application/json'}, [body]] }
Please sign in to comment.
Something went wrong with that request. Please try again.