fix jsonp callback char restrictions

expressjs · Aug 29, 2012 · 89c5aff · 89c5aff
1 parent 2bba69f
commit 89c5aff
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/lib/response.js b/lib/response.js
@@ -196,7 +196,7 @@ res.json = function(obj){
   // jsonp
   if (callback && jsonp) {
     this.set('Content-Type', 'text/javascript');
-    body = callback.replace(/[^[]\w$.]/g, '') + '(' + body + ');';
+    body = callback.replace(/[^\[\]\w$.]/g, '') + '(' + body + ');';
   }
 
   return this.send(body);

diff --git a/test/res.json.js b/test/res.json.js
@@ -59,6 +59,23 @@ describe('res', function(){
           done();
         })
       })
+
+      it('should disallow arbitrary js', function(done){
+        var app = express();
+
+        app.enable('jsonp callback');
+        app.use(function(req, res){
+          res.json({});
+        });
+
+        request(app)
+        .get('/?callback=foo;bar()')
+        .end(function(err, res){
+          res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
+          res.text.should.equal('foobar({});');
+          done();
+        })
+      })
     })
 
     describe('when given primitives', function(){