From f56936c93606611f0701950225a88008f1d1ad74 Mon Sep 17 00:00:00 2001
From: Robert Helmer <rhelmer@rhelmer.org>
Date: Tue, 30 Jan 2018 12:52:19 -0800
Subject: better sanitize jsonp

---
 src/node/hooks/express/apicalls.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/node/hooks/express/apicalls.js')

diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js
index db0fc81f..7f2f8ecf 100644
--- a/src/node/hooks/express/apicalls.js
+++ b/src/node/hooks/express/apicalls.js
@@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) {
     apiLogger.info("RESPONSE, " + req.params.func + ", " + response);
 
     //is this a jsonp call, if yes, add the function call
-    if(req.query.jsonp)
+    if(req.query.jsonp && isVarName(response))
       response = req.query.jsonp + "(" + response + ")";
 
     res._____send(response);
-- 
cgit v1.2.3


From b292e137ed3360a360ef084044debd3454ebf53c Mon Sep 17 00:00:00 2001
From: Stefan <mu.stefan@googlemail.com>
Date: Sat, 3 Feb 2018 12:33:33 +0100
Subject: Added missing require for is-var-name

---
 src/node/hooks/express/apicalls.js | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/node/hooks/express/apicalls.js')

diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js
index 7f2f8ecf..4482fd84 100644
--- a/src/node/hooks/express/apicalls.js
+++ b/src/node/hooks/express/apicalls.js
@@ -3,6 +3,7 @@ var apiLogger = log4js.getLogger("API");
 var clientLogger = log4js.getLogger("client");
 var formidable = require('formidable');
 var apiHandler = require('../../handler/APIHandler');
+var isVarName = require('is-var-name');
 
 //This is for making an api call, collecting all post information and passing it to the apiHandler
 var apiCaller = function(req, res, fields) {
-- 
cgit v1.2.3