/**!
|
* jsonp-body - index.js
|
*
|
* Copyright(c) fengmk2 and other contributors.
|
* MIT Licensed
|
*
|
* Authors:
|
* fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
|
*/
|
|
'use strict';
|
|
/**
|
* Module dependencies.
|
*/
|
|
module.exports = jsonp;
|
|
function jsonp(obj, callback, options) {
|
// fixup callback when `this.query.callback` return Array
|
if (Array.isArray(callback)) {
|
callback = callback[0];
|
}
|
|
options = options || {};
|
var limit = options.limit || 512;
|
|
// JSON parse vs eval fix. @see https://github.com/rack/rack-contrib/pull/37
|
var body = JSON.stringify(obj, options.replacer, options.space)
|
.replace(/\u2028/g, '\\u2028')
|
.replace(/\u2029/g, '\\u2029');
|
|
if (typeof callback !== 'string' || callback.length === 0) {
|
return body;
|
}
|
|
// limit callback length
|
if (callback.length > limit) {
|
callback = callback.substring(0, limit);
|
}
|
|
// Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters.
|
var cb = callback.replace(/[^\[\]\w$.]/g, '');
|
|
// the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse"
|
// @see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671
|
// @see http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
|
// @see http://drops.wooyun.org/tips/2554
|
return '/**/ typeof ' + cb + ' === \'function\' && ' + cb + '(' + body + ');';
|
}
|
