yajsml
Advanced tools
Comparing version 1.1.0 to 1.1.1
@@ -11,3 +11,3 @@ { | ||
, "dependencies": {} | ||
, "version": "1.1.0" | ||
, "version": "1.1.1" | ||
, "repository": { | ||
@@ -14,0 +14,0 @@ "type": "git" |
@@ -46,2 +46,8 @@ /*! | ||
var path = options.path; | ||
path = decodeURIComponent(path); | ||
if (path.charAt(0) == '/') { // Account for '/C:\Windows' type of paths. | ||
path = pathutil.resolve('/', path.slice(1)); | ||
} | ||
path = pathutil.normalize(path); | ||
var method = options.method; | ||
@@ -48,0 +54,0 @@ |
@@ -39,6 +39,6 @@ /*! | ||
function toJSLiteral(object) { | ||
function toJSLiteral(string) { | ||
// Remember, JSON is not a subset of JavaScript. Some line terminators must | ||
// be escaped manually. | ||
var result = JSON.stringify(object); | ||
var result = '"' + escapeJavaScriptData(string) + '"'; | ||
result = result.replace('\u2028', '\\u2028').replace('\u2029', '\\u2029'); | ||
@@ -48,2 +48,15 @@ return result; | ||
// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space. | ||
var JAVASCRIPT_CHARACTERS_EXPRESSION = | ||
/[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g; | ||
function escapeJavaScriptData(text) { | ||
return text && text.replace(JAVASCRIPT_CHARACTERS_EXPRESSION, function (c) { | ||
return "\\x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2); | ||
}); | ||
} | ||
// Only allow a subset of JavaScript expressions that are reasonable and cannot | ||
// look like HTML (e.g. `require.define`, `requireForKey("key").define`). | ||
var JSONP_CALLBACK_EXPRESSION = /^[a-zA-Z0-9$:._'"\\()\[\]\{\}]+$/; | ||
function mixin(object1, object2, objectN) { | ||
@@ -295,2 +308,9 @@ var object = {}; | ||
return; | ||
} else if (!JSONPCallback.match(JSONP_CALLBACK_EXPRESSION)) { | ||
response.writeHead(400, { | ||
'content-type': 'text/plain; charset=utf-8' | ||
}); | ||
response.write("400: The parameter `callback` must match " | ||
+ JSONP_CALLBACK_EXPRESSION + ".") | ||
response.end(); | ||
} | ||
@@ -302,2 +322,4 @@ | ||
'application/javascript; charset=utf-8'; | ||
// JSONP requires a guard against incorrect sniffing. | ||
responseHeaders['x-content-type-options'] = 'nosniff'; | ||
@@ -304,0 +326,0 @@ if (status == 304 || notModified(requestHeaders, responseHeaders)) { |
382765
11457