When my callback looks like callbacks[123] it's converted to
callbacks123 and this leads to an error. I cannot change the code for
the client because it uses a framework (qooxdoo) which manages by
itself the jsonp stuff. So this is the problem:
lib/response.js, Line 139: body = callback.replace(/[^\w$.]/g, '') +
'(' + body + ');';
It's removing the "[" and "]" when it shouldn't remove them..
it's potentially a security issue if we allow arbitrary chars, but I'm
definitely open to refining things, we should definitely make it work
out-of-the-box with frameworks out there
On Apr 30, 8:06 pm, Totty <webdesignpo...@gmail.com> wrote:
> When my callback looks like callbacks[123] it's converted to
> callbacks123 and this leads to an error. I cannot change the code for
> the client because it uses a framework (qooxdoo) which manages by
> itself the jsonp stuff. So this is the problem:
> lib/response.js, Line 139: body = callback.replace(/[^\w$.]/g, '') +
> '(' + body + ');';
> It's removing the "[" and "]" when it shouldn't remove them..
> it's potentially a security issue if we allow arbitrary chars, but I'm
> definitely open to refining things, we should definitely make it work
> out-of-the-box with frameworks out there
> On Apr 30, 8:06 pm, Totty <webdesignpo...@gmail.com> wrote:
>> When my callback looks like callbacks[123] it's converted to
>> callbacks123 and this leads to an error. I cannot change the code for
>> the client because it uses a framework (qooxdoo) which manages by
>> itself the jsonp stuff. So this is the problem:
>> lib/response.js, Line 139: body = callback.replace(/[^\w$.]/g, '') +
>> '(' + body + ');';
>> It's removing the "[" and "]" when it shouldn't remove them..
thanks. I don't know how these bugs are fixed, but I would like to
allow theses changes in my code. Currently I'm changing my code from
the node_modules that my app uses, but it's not a good option.
thanks
On May 2, 8:14 pm, Ryan Schmidt <google-2...@ryandesign.com> wrote:
> So if this is to be corrected as Totty suggests, and "[" and "]" are to be allowed, then the corrected line would be:
> body = callback.replace(/[^\w$.\[\]]/g, '') + '(' + body + ');';
> On May 2, 2012, at 10:40, tjholowaychuk wrote:
> > it's potentially a security issue if we allow arbitrary chars, but I'm
> > definitely open to refining things, we should definitely make it work
> > out-of-the-box with frameworks out there
> > On Apr 30, 8:06 pm, Totty <webdesignpo...@gmail.com> wrote:
> >> When my callback looks like callbacks[123] it's converted to
> >> callbacks123 and this leads to an error. I cannot change the code for
> >> the client because it uses a framework (qooxdoo) which manages by
> >> itself the jsonp stuff. So this is the problem:
> >> lib/response.js, Line 139: body = callback.replace(/[^\w$.]/g, '') +
> >> '(' + body + ');';
> >> It's removing the "[" and "]" when it shouldn't remove them..
If you can submit a patch to fix it (i.e. by creating a gist of the patch, then putting a link to the gist into the ticket), or submit a pull request of the fix, that would be even better.
> thanks. I don't know how these bugs are fixed, but I would like to
> allow theses changes in my code. Currently I'm changing my code from
> the node_modules that my app uses, but it's not a good option.
