From f56936c93606611f0701950225a88008f1d1ad74 Mon Sep 17 00:00:00 2001
From: Robert Helmer <rhelmer@rhelmer.org>
Date: Tue, 30 Jan 2018 12:52:19 -0800
Subject: better sanitize jsonp

---
 src/node/hooks/express/apicalls.js | 2 +-
 src/package.json                   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js
index db0fc81f..7f2f8ecf 100644
--- a/src/node/hooks/express/apicalls.js
+++ b/src/node/hooks/express/apicalls.js
@@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) {
     apiLogger.info("RESPONSE, " + req.params.func + ", " + response);
 
     //is this a jsonp call, if yes, add the function call
-    if(req.query.jsonp)
+    if(req.query.jsonp && isVarName(response))
       response = req.query.jsonp + "(" + response + ")";
 
     res._____send(response);
diff --git a/src/package.json b/src/package.json
index ca34ac9d..8f083890 100644
--- a/src/package.json
+++ b/src/package.json
@@ -43,7 +43,8 @@
                       "jsonminify"              : "0.4.1",
                       "measured"                : "1.1.0",
                       "mocha"                   : "2.4.5",
-                      "supertest"               : "1.2.0"
+                      "supertest"               : "1.2.0",
+                      "is-var-name"             : "1.0.0"
                      },
   "bin":             { "etherpad-lite": "./node/server.js" },
   "devDependencies": {
-- 
cgit v1.2.3