finalhandler
Advanced tools
Comparing version 0.5.1 to 1.0.0
@@ -0,1 +1,16 @@ | ||
1.0.0 / 2017-02-15 | ||
================== | ||
* Fix exception when `err` cannot be converted to a string | ||
* Fully URL-encode the pathname in the 404 message | ||
* Only include the pathname in the 404 message | ||
* Send complete HTML document | ||
* Set `Content-Security-Policy: default-src 'self'` header | ||
* deps: debug@2.6.1 | ||
- Allow colors in workers | ||
- Deprecated `DEBUG_FD` environment variable set to `3` or higher | ||
- Fix error when running under React Native | ||
- Use same color for same namespace | ||
- deps: ms@0.7.2 | ||
0.5.1 / 2016-11-12 | ||
@@ -2,0 +17,0 @@ ================== |
76
index.js
/*! | ||
* finalhandler | ||
* Copyright(c) 2014-2016 Douglas Christopher Wilson | ||
* Copyright(c) 2014-2017 Douglas Christopher Wilson | ||
* MIT Licensed | ||
@@ -15,4 +15,6 @@ */ | ||
var debug = require('debug')('finalhandler') | ||
var encodeUrl = require('encodeurl') | ||
var escapeHtml = require('escape-html') | ||
var onFinished = require('on-finished') | ||
var parseUrl = require('parseurl') | ||
var statuses = require('statuses') | ||
@@ -36,2 +38,25 @@ var unpipe = require('unpipe') | ||
/** | ||
* Create a minimal HTML document. | ||
* | ||
* @param {string} message | ||
* @private | ||
*/ | ||
function createHtmlDocument (message) { | ||
var body = escapeHtml(message) | ||
.replace(NEWLINE_REGEXP, '<br>') | ||
.replace(DOUBLE_SPACE_REGEXP, ' ') | ||
return '<!DOCTYPE html>\n' + | ||
'<html lang="en">\n' + | ||
'<head>\n' + | ||
'<meta charset="utf-8">\n' + | ||
'<title>Error</title>\n' + | ||
'</head>\n' + | ||
'<body>\n' + | ||
'<pre>' + body + '</pre>\n' + | ||
'</body>\n' | ||
} | ||
/** | ||
* Module exports. | ||
@@ -64,2 +89,3 @@ * @public | ||
var headers | ||
var msg | ||
var status | ||
@@ -88,12 +114,8 @@ | ||
// production gets a basic error message | ||
var msg = env === 'production' | ||
? statuses[status] | ||
: err.stack || err.toString() | ||
msg = escapeHtml(msg) | ||
.replace(NEWLINE_REGEXP, '<br>') | ||
.replace(DOUBLE_SPACE_REGEXP, ' ') + '\n' | ||
// get error message | ||
msg = getErrorMessage(err, status, env) | ||
} else { | ||
// not found | ||
status = 404 | ||
msg = 'Cannot ' + escapeHtml(req.method) + ' ' + escapeHtml(req.originalUrl || req.url) + '\n' | ||
msg = 'Cannot ' + req.method + ' ' + encodeUrl(parseUrl.original(req).pathname) | ||
} | ||
@@ -145,2 +167,28 @@ | ||
/** | ||
* Get message from Error object, fallback to status message. | ||
* | ||
* @param {Error} err | ||
* @param {number} status | ||
* @param {string} env | ||
* @return {string} | ||
* @private | ||
*/ | ||
function getErrorMessage (err, status, env) { | ||
var msg | ||
if (env !== 'production') { | ||
// use err.stack, which typically includes err.message | ||
msg = err.stack | ||
// fallback to err.toString() when possible | ||
if (!msg && typeof err.toString === 'function') { | ||
msg = err.toString() | ||
} | ||
} | ||
return msg || statuses[status] | ||
} | ||
/** | ||
* Get status code from Error object. | ||
@@ -193,8 +241,11 @@ * | ||
* @param {object} headers | ||
* @param {string} body | ||
* @param {string} message | ||
* @private | ||
*/ | ||
function send (req, res, status, headers, body) { | ||
function send (req, res, status, headers, message) { | ||
function write () { | ||
// response body | ||
var body = createHtmlDocument(message) | ||
// response status | ||
@@ -207,3 +258,4 @@ res.statusCode = status | ||
// security header for content sniffing | ||
// security headers | ||
res.setHeader('Content-Security-Policy', "default-src 'self'") | ||
res.setHeader('X-Content-Type-Options', 'nosniff') | ||
@@ -210,0 +262,0 @@ |
{ | ||
"name": "finalhandler", | ||
"description": "Node.js final http responder", | ||
"version": "0.5.1", | ||
"version": "1.0.0", | ||
"author": "Douglas Christopher Wilson <doug@somethingdoug.com>", | ||
@@ -9,5 +9,7 @@ "license": "MIT", | ||
"dependencies": { | ||
"debug": "~2.2.0", | ||
"debug": "2.6.1", | ||
"encodeurl": "~1.0.1", | ||
"escape-html": "~1.0.3", | ||
"on-finished": "~2.3.0", | ||
"parseurl": "~1.3.1", | ||
"statuses": "~1.3.1", | ||
@@ -17,3 +19,3 @@ "unpipe": "~1.0.0" | ||
"devDependencies": { | ||
"eslint": "3.10.0", | ||
"eslint": "3.15.0", | ||
"eslint-config-standard": "6.2.1", | ||
@@ -20,0 +22,0 @@ "eslint-plugin-markdown": "1.0.0-beta.3", |
Sorry, the diff of this file is not supported yet
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
15301
242
0
1
7
+ Addedencodeurl@~1.0.1
+ Addedparseurl@~1.3.1
+ Addeddebug@2.6.1(transitive)
+ Addedencodeurl@1.0.2(transitive)
+ Addedms@0.7.2(transitive)
+ Addedparseurl@1.3.3(transitive)
- Removeddebug@2.2.0(transitive)
- Removedms@0.7.1(transitive)
Updateddebug@2.6.1