Merge pull request #1766 from patrickkettner/rosetta-flash

prepend jsonp callbacks with a comment to prevent the rosetta-flash vulnerability

lib/response/payload.js

@@ -53,7 +53,7 @@ internals.Payload.prototype.size = function () {
 internals.Payload.prototype.jsonp = function (variable) {
 
     this._sizeOffset += variable.length + 3;
-    this._prefix = variable + '(';
+    this._prefix = '/**/' + variable + '(';
     this._data = Buffer.isBuffer(this._data) ? this._data : this._data.replace(/\u2028/g, '\\u2028').replace(/\u2029/g, '\\u2029');
     this._suffix = ');';
 };

test/response.js

@@ -1047,7 +1047,7 @@ describe('Response', function () {
 
             server.inject('/?callback=me', function (res) {
 
-                expect(res.payload).to.equal('me({"some":"value"});');
+                expect(res.payload).to.equal('/**/me({"some":"value"});');
                 expect(res.headers['content-length']).to.equal(21);
                 done();
             });
@@ -1096,7 +1096,7 @@ describe('Response', function () {
                 Zlib.unzip(new Buffer(res.payload, 'binary'), function (err, result) {
 
                     expect(err).to.not.exist;
-                    expect(result.toString()).to.equal('docall({"first":"1","last":"2"});');
+                    expect(result.toString()).to.equal('/**/docall({"first":"1","last":"2"});');
                     done();
                 });
             });
@@ -1114,7 +1114,7 @@ describe('Response', function () {
 
             server.inject('/?callback=me', function (res) {
 
-                expect(res.payload).to.equal('me(value);');
+                expect(res.payload).to.equal('/**/me(value);');
                 expect(res.headers['content-length']).to.equal(10);
                 done();
             });