Skip to content

Commit

Permalink
Fix #59 - restrict characters allowed in callback parameter
Browse files Browse the repository at this point in the history
  • Loading branch information
@majek
majek committed Apr 24, 2012
1 parent c54fb97 commit 8f64d46
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/trans-htmlfile.coffee
View file
Expand Up @@ -45,6 +45,13 @@ exports.app =
message: '"callback" parameter required' message: '"callback" parameter required'
} }
callback = if 'c' of req.query then req.query['c'] else req.query['callback'] callback = if 'c' of req.query then req.query['c'] else req.query['callback']
if /[^a-zA-Z0-9-_.]/.test(callback)
throw {
status: 500
message: 'invalid "callback" parameter'
}


res.setHeader('Content-Type', 'text/html; charset=UTF-8') res.setHeader('Content-Type', 'text/html; charset=UTF-8')
res.writeHead(200) res.writeHead(200)
res.write(iframe_template.replace(/{{ callback }}/g, callback)); res.write(iframe_template.replace(/{{ callback }}/g, callback));
Expand Down
6 changes: 6 additions & 0 deletions src/trans-jsonp.coffee
View file
Expand Up @@ -29,6 +29,12 @@ exports.app =
} }


callback = if 'c' of req.query then req.query['c'] else req.query['callback'] callback = if 'c' of req.query then req.query['c'] else req.query['callback']
if /[^a-zA-Z0-9-_.]/.test(callback)
throw {
status: 500
message: 'invalid "callback" parameter'
}

res.setHeader('Content-Type', 'application/javascript; charset=UTF-8') res.setHeader('Content-Type', 'application/javascript; charset=UTF-8')
res.writeHead(200) res.writeHead(200)


Expand Down

0 comments on commit 8f64d46

Please sign in to comment.