This is a security release which solves the following:
Previously, the default error responder when a client asked for a static-file which was missing (404) returned the name the of that file
api.config.errors.fileNotFound = function(connection){ return connection.localize(['That file is not found (%s)', connection.params.file]); }
This is dangerous because a malicious actor could request a filename with an executable javascript tag and harm the requester. We now will no longer return the file name:
api.config.errors.fileNotFound = function(connection){ return connection.localize(['That file is not found']); }
When requesting an action via JSONp, it was possible (though unlikely) that the callback
string you were providing contained malicious javascript which would harm the requester. We will now sanitize the provided callback
in the following way:
function callbackHtmlEscape(str){ return str .replace(/&/g, '&') .replace(/"/g, '"') .replace(/'/g, ''') .replace(/</g, '<') .replace(/>/g, '>') .replace(/\)/g, '') .replace(/\(/g, ''); }
This fix has been backported to:
A huge thank you to @submitteddenied is earned for reporting these issues and working to fix them.