Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

fix jsonp callback char restrictions

  • Loading branch information...
commit 89c5affc3ba24f5186feb493cb4db9dc473f3479 1 parent 2bba69f
@tj tj authored
Showing with 18 additions and 1 deletion.
  1. +1 −1  lib/response.js
  2. +17 −0 test/res.json.js
View
2  lib/response.js
@@ -196,7 +196,7 @@ res.json = function(obj){
// jsonp
if (callback && jsonp) {
this.set('Content-Type', 'text/javascript');
- body = callback.replace(/[^[]\w$.]/g, '') + '(' + body + ');';
+ body = callback.replace(/[^\[\]\w$.]/g, '') + '(' + body + ');';
}
return this.send(body);
View
17 test/res.json.js
@@ -59,6 +59,23 @@ describe('res', function(){
done();
})
})
+
+ it('should disallow arbitrary js', function(done){
+ var app = express();
+
+ app.enable('jsonp callback');
+ app.use(function(req, res){
+ res.json({});
+ });
+
+ request(app)
+ .get('/?callback=foo;bar()')
+ .end(function(err, res){
+ res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
+ res.text.should.equal('foobar({});');
+ done();
+ })
+ })
})
describe('when given primitives', function(){
Please sign in to comment.
Something went wrong with that request. Please try again.