JSON CallBack类型的链接，这类出现在几乎各大Web 2.0网站中。修补这类安全问题很简单，只要在目标网页开头部分强制加一个空格即可，这样BOM头就无效了。

astaxie
Showing 1 changed file with 1 additions and 1 deletions
context/output.go
--- a/context/output.go
View file @558738a
+++ b/context/output.go
View file @558738a
@@ -158,7 +158,7 @@ func (output *BeegoOutput) Jsonp(data interface{}, hasIndent bool) error {
 	if callback == "" {
 		return errors.New(`"callback" parameter required`)
 	}
-	callback_content := bytes.NewBufferString(template.JSEscapeString(callback))
+	callback_content := bytes.NewBufferString(" " + template.JSEscapeString(callback))
 	callback_content.WriteString("(")
 	callback_content.Write(content)
 	callback_content.WriteString(");\r\n")