Merge pull request #3314 from rhelmer/sanitize-jsonp

JohnMcLear · web-flow · commit 626e58cc5af1 · 2018-01-31T08:25:43.000Z
better sanitize jsonp
diff --git a/src/node/hooks/express/apicalls.js b/src/node/hooks/express/apicalls.js
@@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) {
     apiLogger.info("RESPONSE, " + req.params.func + ", " + response);
 
     //is this a jsonp call, if yes, add the function call
-    if(req.query.jsonp)
+    if(req.query.jsonp && isVarName(response))
       response = req.query.jsonp + "(" + response + ")";
 
     res._____send(response);
diff --git a/src/package.json b/src/package.json
@@ -43,7 +43,8 @@
                       "jsonminify"              : "0.4.1",
                       "measured"                : "1.1.0",
                       "mocha"                   : "2.4.5",
-                      "supertest"               : "1.2.0"
+                      "supertest"               : "1.2.0",
+                      "is-var-name"             : "1.0.0"
                      },
   "bin":             { "etherpad-lite": "./node/server.js" },
   "devDependencies": {
