(req: Request, res: Response)
| 40 | * @param app App |
| 41 | */ |
| 42 | export const jsonp = (req: Request, res: Response) => (obj: unknown, opts: JSONPOptions = {}) => { |
| 43 | const val = obj |
| 44 | |
| 45 | const { escape, replacer, spaces, callbackName = 'callback' } = opts |
| 46 | |
| 47 | let body = stringify(val, replacer, spaces, escape) |
| 48 | |
| 49 | let callback = req.query[callbackName] |
| 50 | |
| 51 | if (!res.get('Content-Type')) { |
| 52 | res.set('X-Content-Type-Options', 'nosniff') |
| 53 | res.set('Content-Type', 'application/json') |
| 54 | } |
| 55 | |
| 56 | // jsonp |
| 57 | if (typeof callback === 'string' && callback.length !== 0) { |
| 58 | res.set('X-Content-Type-Options', 'nosniff') |
| 59 | res.set('Content-Type', 'text/javascript') |
| 60 | |
| 61 | // restrict callback charset |
| 62 | callback = callback.replace(/[^[\]\w$.]/g, '') |
| 63 | |
| 64 | // replace chars not allowed in JavaScript that are in JSON |
| 65 | body = body.replace(/\u2028/g, '\\u2028').replace(/\u2029/g, '\\u2029') |
| 66 | |
| 67 | // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse" |
| 68 | // the typeof check is just to reduce client error noise |
| 69 | body = `/**/ typeof ${callback} === 'function' && ${callback}(${body});` |
| 70 | } |
| 71 | |
| 72 | return res.send(body) |
| 73 | } |
no test coverage detected