Easy bug fix for JSONP callback when callback contains "[]" ex.: callback=callbacks[123]

[Totty]

When my callback looks like callbacks[123] it's converted to
callbacks123 and this leads to an error. I cannot change the code for
the client because it uses a framework (qooxdoo) which manages by
itself the jsonp stuff. So this is the problem:

lib/response.js, Line 139: body = callback.replace(/[^\w$.]/g, '') +
'(' + body + ');';

It's removing the "[" and "]" when it shouldn't remove them..

thanks

[tjholowaychuk]

it's potentially a security issue if we allow arbitrary chars, but I'm
definitely open to refining things, we should definitely make it work
out-of-the-box with frameworks out there

[Ryan Schmidt]

So if this is to be corrected as Totty suggests, and "[" and "]" are to be allowed, then the corrected line would be:

body = callback.replace(/[^\w$.\[\]]/g, '') + '(' + body + ');';

[Totty]

thanks. I don't know how these bugs are fixed, but I would like to
allow theses changes in my code. Currently I'm changing my code from
the node_modules that my app uses, but it's not a good option.
thanks

[Ryan Schmidt]

The first thing you should probably do is file a bug report:

https://github.com/visionmedia/express/issues

If you can submit a patch to fix it (i.e. by creating a gist of the patch, then putting a link to the gist into the ticket), or submit a pull request of the fix, that would be even better.