JSON CallBack类型的链接,这类出现在几乎各大Web 2.0网站中。修补这类安全问题很简单,只要在目标网页开头部分强制加一个空格即可,这样BOM头就无效了。
Showing
1 changed file
with
1 additions
and
1 deletions
| ... | @@ -158,7 +158,7 @@ func (output *BeegoOutput) Jsonp(data interface{}, hasIndent bool) error { | ... | @@ -158,7 +158,7 @@ func (output *BeegoOutput) Jsonp(data interface{}, hasIndent bool) error { |
| 158 | if callback == "" { | 158 | if callback == "" { |
| 159 | return errors.New(`"callback" parameter required`) | 159 | return errors.New(`"callback" parameter required`) |
| 160 | } | 160 | } |
| 161 | callback_content := bytes.NewBufferString(template.JSEscapeString(callback)) | 161 | callback_content := bytes.NewBufferString(" " + template.JSEscapeString(callback)) |
| 162 | callback_content.WriteString("(") | 162 | callback_content.WriteString("(") |
| 163 | callback_content.Write(content) | 163 | callback_content.Write(content) |
| 164 | callback_content.WriteString(");\r\n") | 164 | callback_content.WriteString(");\r\n") | ... | ... |
-
Please register or sign in to post a comment