Skip to content
Browse files

Fix #59 - restrict characters allowed in callback parameter

  • Loading branch information...
1 parent c54fb97 commit 8f64d46c02d96b46357827216143c43b236edd36 @majek majek committed Apr 24, 2012
Showing with 13 additions and 0 deletions.
  1. +7 −0 src/trans-htmlfile.coffee
  2. +6 −0 src/trans-jsonp.coffee
View
7 src/trans-htmlfile.coffee
@@ -45,6 +45,13 @@ exports.app =
message: '"callback" parameter required'
}
callback = if 'c' of req.query then req.query['c'] else req.query['callback']
+ if /[^a-zA-Z0-9-_.]/.test(callback)
+ throw {
+ status: 500
+ message: 'invalid "callback" parameter'
+ }
+
+
res.setHeader('Content-Type', 'text/html; charset=UTF-8')
res.writeHead(200)
res.write(iframe_template.replace(/{{ callback }}/g, callback));
View
6 src/trans-jsonp.coffee
@@ -29,6 +29,12 @@ exports.app =
}
callback = if 'c' of req.query then req.query['c'] else req.query['callback']
+ if /[^a-zA-Z0-9-_.]/.test(callback)
+ throw {
+ status: 500
+ message: 'invalid "callback" parameter'
+ }
+
res.setHeader('Content-Type', 'application/javascript; charset=UTF-8')
res.writeHead(200)

0 comments on commit 8f64d46

Please sign in to comment.
Something went wrong with that request. Please try again.