Author: sevein Date: Fri Oct 8 04:53:34 2010 New Revision: 25 Log: Use static callback function to avoid possible injection risk.
Modified: trunk/chk4upd/views.py Modified: trunk/chk4upd/views.py ============================================================================== --- trunk/chk4upd/views.py Thu Oct 7 12:37:13 2010 (r24) +++ trunk/chk4upd/views.py Fri Oct 8 04:53:34 2010 (r25) @@ -37,9 +37,10 @@ c.save() - # JSONP support + # JSONP support for cross-domain XHR + # See http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html if 'callback' in request.GET: - response = request.GET.get('callback') + '(' + '{ "version" : "' + version + '" }' + ');' + response = 'updateCheck(' + '{ version: \'' + version + '\' }' + ');' return HttpResponse(response, mimetype='application/x-javascript') return HttpResponse(version, mimetype='text/plain') -- You received this message because you are subscribed to the Google Groups "Qubit Toolkit Commits" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/qubit-commits?hl=en.
