Skip to content

Commit

Permalink
Fixed XSS in jsonp-polling.
Browse files Browse the repository at this point in the history
  • Loading branch information
rauchg committed Apr 17, 2012
1 parent a4e53a6 commit e98fc7b
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
7 changes: 4 additions & 3 deletions lib/manager.js
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ var defaultTransports = exports.defaultTransports = [
*/

var parent = module.parent.exports
, protocol = parent.protocol;
, protocol = parent.protocol
, jsonpolling_re = /^\d+$/;

/**
* Manager constructor.
Expand Down Expand Up @@ -712,7 +713,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
};

function writeErr (status, message) {
if (data.query.jsonp) {
if (data.query.jsonp && jsonpolling_re.test(data.query.jsonp)) {
res.writeHead(200, { 'Content-Type': 'application/javascript' });
res.end('io.j[' + data.query.jsonp + '](new Error("' + message + '"));');
} else {
Expand Down Expand Up @@ -751,7 +752,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
, self.transports(data).join(',')
].join(':');

if (data.query.jsonp) {
if (data.query.jsonp && jsonpolling_re.test(data.query.jsonp)) {
hs = 'io.j[' + data.query.jsonp + '](' + JSON.stringify(hs) + ');';
res.writeHead(200, { 'Content-Type': 'application/javascript' });
} else {
Expand Down
3 changes: 2 additions & 1 deletion lib/transports/jsonp-polling.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
*/

var HTTPPolling = require('./http-polling');
var jsonpolling_re = /^\d+$/

/**
* Export the constructor.
Expand All @@ -29,7 +30,7 @@ function JSONPPolling (mng, data, req) {
this.head = 'io.j[0](';
this.foot = ');';

if (data.query.i) {
if (data.query.i && jsonpolling_re.test(data.query.i)) {
this.head = 'io.j[' + data.query.i + '](';
}
};
Expand Down

0 comments on commit e98fc7b

Please sign in to comment.