diff --git a/CHANGELOG.md b/CHANGELOG.md index 34f0be8e8..61f842440 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). +## [3.0.0-alpha.23] - 2016-04-12 +### Changed +* Sanitize jsonp callback in processFeatureServer + ## [3.0.0-alpha.22] - 2016-04-04 ### Fixed * Remove duplicate json templates @@ -648,6 +652,9 @@ Koop is now just a node module that exposes an express middleware app with hooks - koop-server is no more; all central code is in the koop project - to use Koop you must use it as middleware in an app that boots up an http server +[3.0.0-alpha.23]: https://github.com/koopjs/koop/compare/v3.0.0-alpha.22...v3.0.0-alpha.23 +[3.0.0-alpha.22]: https://github.com/koopjs/koop/compare/v3.0.0-alpha.21...v3.0.0-alpha.22 +[3.0.0-alpha.21]: https://github.com/koopjs/koop/compare/v3.0.0-alpha.20...v3.0.0-alpha.21 [3.0.0-alpha.20]: https://github.com/koopjs/koop/compare/v3.0.0-alpha.19...v3.0.0-alpha.20 [3.0.0-alpha.19]: https://github.com/koopjs/koop/compare/v3.0.0-alpha.18...v3.0.0-alpha.19 [3.0.0-alpha.18]: https://github.com/koopjs/koop/compare/v3.0.0-alpha.17...v3.0.0-alpha.18 diff --git a/package.json b/package.json index e68e420c9..0345d27b2 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "koop", "description": "Transform, query, & download geospatial data on the web", - "version": "3.0.0-alpha.22", + "version": "3.0.0-alpha.23", "author": { "name": "Chris Helm" }, diff --git a/src/lib/BaseController.js b/src/lib/BaseController.js index a67dd522e..085d7ee06 100644 --- a/src/lib/BaseController.js +++ b/src/lib/BaseController.js @@ -57,7 +57,10 @@ function execServerMethod (method, req, res, geojson) { if (err) return res.status(400).send(err) if (!geojson) return res.status(400).json({error: 'No data passed to feature server method'}) if (d.features && d.features.length > 1000) d.features = d.features.splice(0, 1000) - if (req.query.callback) return res.send(req.query.callback + '(' + JSON.stringify(d) + ')') + if (req.query.callback) { + const callback = sanitizeCallback(req.query.callback) + return res.send(callback + '(' + JSON.stringify(d) + ')') + } res.status(200).json(d) }) } @@ -70,4 +73,8 @@ function execInfo (geojson, layer, query, res) { }) } +function sanitizeCallback (callback) { + return callback.replace(/[^\w\d\.\(\)\[\]]/g, '') +} + module.exports = Controller