UNPKG

jsonp-body

Version:

Helper to create more safe jsonp response body for koa and other web framework

github.com/node-modules/jsonp-body

node-modules/jsonp-body

29 lines 2.68 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
export function jsonp(obj, callback, options = {}) { // fixup callback when `this.query.callback` return Array if (Array.isArray(callback)) { callback = callback[0]; } const limit = options.limit ?? 512; // replace chars not allowed in JavaScript that are in JSON // JSON parse vs eval fix. @see https://github.com/rack/rack-contrib/pull/37 const body = JSON.stringify(obj, options.replacer, options.space) .replace(/\u2028/g, '\\u2028') .replace(/\u2029/g, '\\u2029'); if (typeof callback !== 'string' || callback.length === 0) { return body; } // limit callback length if (callback.length > limit) { callback = callback.substring(0, limit); } // Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters. const cb = callback.replace(/[^\[\]\w\$\.]+/g, ''); // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse" // @see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671 // @see http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ // @see http://drops.wooyun.org/tips/2554 // // the typeof check is just to reduce client error noise return '/**/ typeof ' + cb + ' === \'function\' && ' + cb + '(' + body + ');'; } //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBU0EsTUFBTSxVQUFVLEtBQUssQ0FBQyxHQUFRLEVBQUUsUUFBNEIsRUFBRSxVQUFtQixFQUFFO0lBQ2pGLHlEQUF5RDtJQUN6RCxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztRQUM1QixRQUFRLEdBQUcsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ3pCLENBQUM7SUFFRCxNQUFNLEtBQUssR0FBRyxPQUFPLENBQUMsS0FBSyxJQUFJLEdBQUcsQ0FBQztJQUVuQywyREFBMkQ7SUFDM0QsNEVBQTRFO0lBQzVFLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxRQUFRLEVBQUUsT0FBTyxDQUFDLEtBQUssQ0FBQztTQUM5RCxPQUFPLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQztTQUM3QixPQUFPLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQyxDQUFDO0lBRWpDLElBQUksT0FBTyxRQUFRLEtBQUssUUFBUSxJQUFJLFFBQVEsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDMUQsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsd0JBQXdCO0lBQ3hCLElBQUksUUFBUSxDQUFDLE1BQU0sR0FBRyxLQUFLLEVBQUUsQ0FBQztRQUM1QixRQUFRLEdBQUcsUUFBUSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxDQUFDLENBQUM7SUFDMUMsQ0FBQztJQUVELGtFQUFrRTtJQUNsRSxNQUFNLEVBQUUsR0FBRyxRQUFRLENBQUMsT0FBTyxDQUFDLGlCQUFpQixFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBRW5ELDZFQUE2RTtJQUM3RSxzRUFBc0U7SUFDdEUsc0VBQXNFO0lBQ3RFLHlDQUF5QztJQUN6QyxFQUFFO0lBQ0Ysd0RBQXdEO0lBQ3hELE9BQU8sY0FBYyxHQUFHLEVBQUUsR0FBRyx1QkFBdUIsR0FBRyxFQUFFLEdBQUcsR0FBRyxHQUFHLElBQUksR0FBRyxJQUFJLENBQUM7QUFDaEYsQ0FBQyJ9