1
0
mirror of https://github.com/astaxie/beego.git synced 2024-11-25 19:10:54 +00:00

JSON CallBack类型的链接,这类出现在几乎各大Web 2.0网站中。修补这类安全问题很简单,只要在目标网页开头部分强制加一个空格即可,这样BOM头就无效了。

This commit is contained in:
astaxie 2013-11-08 20:54:06 +08:00
parent 0fb7d4babb
commit 558738ade8

View File

@ -158,7 +158,7 @@ func (output *BeegoOutput) Jsonp(data interface{}, hasIndent bool) error {
if callback == "" {
return errors.New(`"callback" parameter required`)
}
callback_content := bytes.NewBufferString(template.JSEscapeString(callback))
callback_content := bytes.NewBufferString(" " + template.JSEscapeString(callback))
callback_content.WriteString("(")
callback_content.Write(content)
callback_content.WriteString(");\r\n")