Skip to content

Commit

Permalink
adding validation to callback name
Browse files Browse the repository at this point in the history
  • Loading branch information
@untoldone
untoldone committed Jun 18, 2015
1 parent b695f3c commit 8ed1a3a
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion api/render.go
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
package api

import (
"regexp"
"net/http"
"github.com/unrolled/render"
)

var defaultRenderer = render.New(render.Options{})
var validJsonpCallback = regexp.MustCompile(`(?i)^[$A-Z_][0-9A-Z_$]*$`)

func Render(w http.ResponseWriter, req *http.Request, status int, v interface{}) {
vars := req.URL.Query()
Expand All @@ -24,7 +26,14 @@ func Render(w http.ResponseWriter, req *http.Request, status int, v interface{})
}

if callback, ok := vars["callback"]; ok {
defaultRenderer.JSONP(w, status, callback[0], v)
if validJsonpCallback.MatchString(callback[0]) {
defaultRenderer.JSONP(w, status, callback[0], v)
} else {
defaultRenderer.JSON(w, 400, map[string]string{
"name": "InvalidCallbackNameError",
"message": "Callback must be a valid javascript function name",
})
}
} else {
defaultRenderer.JSON(w, status, v)
}
Expand Down

0 comments on commit 8ed1a3a

Please sign in to comment.