UNPKG

jsonp-body

Version:

Helper to create more safe jsonp response body for koa and other web framework

github.com/node-modules/jsonp-body

node-modules/jsonp-body

32 lines 2.79 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.jsonp = jsonp; function jsonp(obj, callback, options = {}) { // fixup callback when `this.query.callback` return Array if (Array.isArray(callback)) { callback = callback[0]; } const limit = options.limit ?? 512; // replace chars not allowed in JavaScript that are in JSON // JSON parse vs eval fix. @see https://github.com/rack/rack-contrib/pull/37 const body = JSON.stringify(obj, options.replacer, options.space) .replace(/\u2028/g, '\\u2028') .replace(/\u2029/g, '\\u2029'); if (typeof callback !== 'string' || callback.length === 0) { return body; } // limit callback length if (callback.length > limit) { callback = callback.substring(0, limit); } // Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters. const cb = callback.replace(/[^\[\]\w\$\.]+/g, ''); // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse" // @see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671 // @see http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ // @see http://drops.wooyun.org/tips/2554 // // the typeof check is just to reduce client error noise return '/**/ typeof ' + cb + ' === \'function\' && ' + cb + '(' + body + ');'; } //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFTQSxzQkFpQ0M7QUFqQ0QsU0FBZ0IsS0FBSyxDQUFDLEdBQVEsRUFBRSxRQUE0QixFQUFFLFVBQW1CLEVBQUU7SUFDakYseURBQXlEO0lBQ3pELElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1FBQzVCLFFBQVEsR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDekIsQ0FBQztJQUVELE1BQU0sS0FBSyxHQUFHLE9BQU8sQ0FBQyxLQUFLLElBQUksR0FBRyxDQUFDO0lBRW5DLDJEQUEyRDtJQUMzRCw0RUFBNEU7SUFDNUUsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLFFBQVEsRUFBRSxPQUFPLENBQUMsS0FBSyxDQUFDO1NBQzlELE9BQU8sQ0FBQyxTQUFTLEVBQUUsU0FBUyxDQUFDO1NBQzdCLE9BQU8sQ0FBQyxTQUFTLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFFakMsSUFBSSxPQUFPLFFBQVEsS0FBSyxRQUFRLElBQUksUUFBUSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUMxRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFFRCx3QkFBd0I7SUFDeEIsSUFBSSxRQUFRLENBQUMsTUFBTSxHQUFHLEtBQUssRUFBRSxDQUFDO1FBQzVCLFFBQVEsR0FBRyxRQUFRLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxLQUFLLENBQUMsQ0FBQztJQUMxQyxDQUFDO0lBRUQsa0VBQWtFO0lBQ2xFLE1BQU0sRUFBRSxHQUFHLFFBQVEsQ0FBQyxPQUFPLENBQUMsaUJBQWlCLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFFbkQsNkVBQTZFO0lBQzdFLHNFQUFzRTtJQUN0RSxzRUFBc0U7SUFDdEUseUNBQXlDO0lBQ3pDLEVBQUU7SUFDRix3REFBd0Q7SUFDeEQsT0FBTyxjQUFjLEdBQUcsRUFBRSxHQUFHLHVCQUF1QixHQUFHLEVBQUUsR0FBRyxHQUFHLEdBQUcsSUFBSSxHQUFHLElBQUksQ0FBQztBQUNoRixDQUFDIn0=