diff options
author | Robert Helmer <rhelmer@rhelmer.org> | 2018-01-30 12:52:19 -0800 |
---|---|---|
committer | Robert Helmer <rhelmer@rhelmer.org> | 2018-01-30 12:52:19 -0800 |
commit | f56936c93606611f0701950225a88008f1d1ad74 (patch) | |
tree | c773f6ba21af51aa0c66b13af521ce299a52324e | |
parent | d7c93b0c0d7fd8a429512dc12c809c10a8175022 (diff) | |
download | etherpad-lite-f56936c93606611f0701950225a88008f1d1ad74.zip |
better sanitize jsonp
-rw-r--r-- | src/node/hooks/express/apicalls.js | 2 | ||||
-rw-r--r-- | src/package.json | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js index db0fc81f..7f2f8ecf 100644 --- a/src/node/hooks/express/apicalls.js +++ b/src/node/hooks/express/apicalls.js @@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) { apiLogger.info("RESPONSE, " + req.params.func + ", " + response); //is this a jsonp call, if yes, add the function call - if(req.query.jsonp) + if(req.query.jsonp && isVarName(response)) response = req.query.jsonp + "(" + response + ")"; res._____send(response); diff --git a/src/package.json b/src/package.json index ca34ac9d..8f083890 100644 --- a/src/package.json +++ b/src/package.json @@ -43,7 +43,8 @@ "jsonminify" : "0.4.1", "measured" : "1.1.0", "mocha" : "2.4.5", - "supertest" : "1.2.0" + "supertest" : "1.2.0", + "is-var-name" : "1.0.0" }, "bin": { "etherpad-lite": "./node/server.js" }, "devDependencies": { |