add quotemeta to protect callback_key, and test

ray1729 · Sep 29, 2010 · d5a72bf · d5a72bf
1 parent 1251d51
commit d5a72bf
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/Plack/Middleware/JSONP.pm b/lib/Plack/Middleware/JSONP.pm
@@ -13,7 +13,7 @@ sub call {
         my $res = shift;
         if (defined $res->[2] && ref $res->[2] eq 'ARRAY' && @{$res->[2]} == 1) {
             my $h = Plack::Util::headers($res->[1]);
-            my $callback_key = $self->callback_key || 'callback';
+            my $callback_key = quotemeta($self->callback_key) || 'callback';
             if ($h->get('Content-Type') =~ m!/(?:json|javascript)! &&
                 $env->{QUERY_STRING} =~ /(?:^|&)$callback_key=([^&]+)/) {
                 my $cb = URI::Escape::uri_unescape($1);

diff --git a/t/Plack-Middleware/jsonp.t b/t/Plack-Middleware/jsonp.t
@@ -7,7 +7,7 @@ my $json = '{"foo":"bar"}';
 
 my @tests = (
     {
-        callback_key => 'jsonp',
+        callback_key => 'json.p',
         app          => sub {
             return [ 200, [ 'Content-Type' => 'application/json' ], [$json] ];
         },