diff options
| author | John McLear <john@mclear.co.uk> | 2018-01-31 08:25:43 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-31 08:25:43 +0000 |
| commit | 626e58cc5af1db3691b41fca7b06c28ea43141b1 (patch) | |
| tree | c773f6ba21af51aa0c66b13af521ce299a52324e | |
| parent | d7c93b0c0d7fd8a429512dc12c809c10a8175022 (diff) | |
| parent | f56936c93606611f0701950225a88008f1d1ad74 (diff) | |
| download | etherpad-lite-626e58cc5af1db3691b41fca7b06c28ea43141b1.zip | |
Merge pull request #3314 from rhelmer/sanitize-jsonp
better sanitize jsonp
| -rw-r--r-- | src/node/hooks/express/apicalls.js | 2 | ||||
| -rw-r--r-- | src/package.json | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js index db0fc81f..7f2f8ecf 100644 --- a/src/node/hooks/express/apicalls.js +++ b/src/node/hooks/express/apicalls.js @@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) { apiLogger.info("RESPONSE, " + req.params.func + ", " + response); //is this a jsonp call, if yes, add the function call - if(req.query.jsonp) + if(req.query.jsonp && isVarName(response)) response = req.query.jsonp + "(" + response + ")"; res._____send(response); diff --git a/src/package.json b/src/package.json index ca34ac9d..8f083890 100644 --- a/src/package.json +++ b/src/package.json @@ -43,7 +43,8 @@ "jsonminify" : "0.4.1", "measured" : "1.1.0", "mocha" : "2.4.5", - "supertest" : "1.2.0" + "supertest" : "1.2.0", + "is-var-name" : "1.0.0" }, "bin": { "etherpad-lite": "./node/server.js" }, "devDependencies": { |