parent: 4f7538 | patch | commitdiff
Bert JW Regeer
2015-04-14 1ce2b07e2d8113919387b1924e17096ad5697437
refs
author Bert JW Regeer <bertjw@regeer.org>
Tuesday, April 14, 2015 06:12 +0200
committer Bert JW Regeer <bertjw@regeer.org>
Tuesday, April 14, 2015 06:32 +0200
commit1ce2b07e2d8113919387b1924e17096ad5697437
tree 68895b15c1ffc676f8132c27e1373daa0a16ef73 tree | zip | gz
parent 4f7538b03a306177eea9650fc7794aec8a42cc2b view | diff 
Add some validation for the JSONP callback

The callback variable could be used to arbitrarily inject javascript
into the response object. This validates that the callback doesn't begin
with a number and is standard US ASCII characters, because trying to
make sure the JavaScript function name is actually valid would require
parsing JavaScript itself...
2 files modified
17 ■■■■■ changed files
pyramid/renderers.py 9 ●●●●● diff | view | raw | blame | history
pyramid/tests/test_renderers.py 8 ●●●●● diff | view | raw | blame | history