Release 1.0.3

This prevents JSONP callbacks from being used as an XSS vector. The set
of acceptable characters is intentionally more limited than the full
set of valid characters in JS identifiers in order to avoid complexity,
but this could be expanded in the future if necessary.

.npmignore

@@ -0,0 +1,4 @@
+test
+support
+examples
+docs

History.md

@@ -1,4 +1,22 @@
 
+1.0.3 / 2011-01-13 
+==================
+
+  * Remove unsafe characters from JSONP callback names [Ryan Grove]
+
+1.0.2 / 2011-01-10 
+==================
+
+  * Removed nested require, using `connect.router`
+
+1.0.1 / 2010-12-29 
+==================
+
+  * Fixed for middleware stacked via `createServer()`
+    previously the `foo` middleware passed to `createServer(foo)`
+    would not have access to Express methods such as `res.send()`
+    or props like `req.query` etc.
+
 1.0.0 / 2010-11-16 
 ==================
 

Readme.md

@@ -69,7 +69,7 @@ The following are the major contributors of Express (in no specific order).
     
 The latest release of Express is compatible with node --version:
 
-    v0.2.4
+    v0.2.5
 
 and connect --version:
 

bin/express

@@ -12,7 +12,7 @@ var fs = require('fs')
  * Framework version.
  */
 
-var version = '1.0.0';
+var version = '1.0.3';
 
 /**
  * stdin stream.
@@ -145,10 +145,11 @@ var appTest = [
   , " * Module dependencies."
   , " */"
   , ""
-  , "var app = require('../app');"
+  , "var app = require('../app')"
+  , "  , assert = require('assert');"
   , "",
   , "module.exports = {"
-  , "  'GET /': function(assert){"
+  , "  'GET /': function(){"
   , "    assert.response(app,"
   , "      { url: '/' },"
   , "      { status: 200, headers: { 'Content-Type': 'text/html; charset=utf-8' }},"

docs/guide.md

@@ -36,19 +36,21 @@ Note the use of _app.router_, which can (optionally) be used to mount the applic
 otherwise the first call to _app.{get,put,del,post}()_ will mount the routes.
 
     app.configure(function(){
-  		app.use(express.methodOverride());
-  		app.use(express.bodyDecoder());
-  		app.use(app.router);
-  		app.use(express.staticProvider(__dirname + '/public'));
-  	});
-	
-  	app.configure('development', function(){
-  		app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
-  	});
-	
-  	app.configure('production', function(){
-  		app.use(express.errorHandler());
-  	});
+    	app.use(express.methodOverride());
+    	app.use(express.bodyDecoder());
+    	app.use(app.router);
+    });
+
+    app.configure('development', function(){
+    	app.use(express.staticProvider(__dirname + '/public'));
+    	app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
+    });
+
+    app.configure('production', function(){
+      var oneYear = 31557600000;
+    	app.use(express.staticProvider({ root: __dirname + '/public', maxAge: oneYear }));
+    	app.use(express.errorHandler());
+    });
 
 For internal and arbitrary settings Express provides the _set(key[, val])_, _enable(key)_, _disable(key)_ methods:
 

lib/express/index.js

@@ -19,7 +19,7 @@ var exports = module.exports = require('connect').middleware;
  * Framework version.
  */
 
-exports.version = '1.0.0';
+exports.version = '1.0.3';
 
 /**
  * Module dependencies.

lib/express/response.js

@@ -85,7 +85,7 @@ http.ServerResponse.prototype.send = function(body, headers, status){
         body = JSON.stringify(body);
         if (this.req.query.callback && this.app.settings['jsonp callback']) {
           this.header('Content-Type', 'text/javascript');
-          body = this.req.query.callback + '(' + body + ');';
+          body = this.req.query.callback.replace(/[^\w$.]/g, '') + '(' + body + ');';
         }
       }
       break;

lib/express/server.js

@@ -14,7 +14,7 @@ var url = require('url')
   , connect = require('connect')
   , utils = connect.utils
   , queryString = require('querystring')
-  , router = require('connect/middleware/router');
+  , router = require('connect').router;
 
 /**
  * Initialize a new `Server` with optional `middleware`.
@@ -32,7 +32,7 @@ var Server = exports = module.exports = function Server(middleware){
   this.viewHelpers = {};
   this.dynamicViewHelpers = {};
   this.errorHandlers = [];
-  connect.Server.call(this, middleware || []);
+  connect.Server.call(this, []);
 
   // Default "home" to / 
   this.set('home', '/');
@@ -65,6 +65,13 @@ var Server = exports = module.exports = function Server(middleware){
     next();
   });
 
+  // Apply middleware
+  if (middleware) {
+    middleware.forEach(function(fn){
+      self.use(fn);
+    });
+  }
+
   // Use router, expose as app.get(), etc
   var fn = router(function(app){ self.routes = app; });
   this.__defineGetter__('router', function(){

package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Sinatra inspired web development framework",
-  "version": "1.0.0",
+  "version": "1.0.3",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [ 
     { "name": "TJ Holowaychuk", "email": "tj@vision-media.ca" }, 

test/response.test.js

@@ -63,6 +63,10 @@ module.exports = {
             { url: '/jsonp?callback=baz' },
             { body: 'baz({"foo":"bar"});', status: 201, headers: { 'Content-Type': 'text/javascript', 'X-Foo': 'baz' }});
 
+        assert.response(app,
+            { url: '/jsonp?callback=illegal()[]=;' },
+            { body: 'illegal({"foo":"bar"});', status: 201, headers: { 'Content-Type': 'text/javascript', 'X-Foo': 'baz' }});
+
         assert.response(app,
             { url: '/json?callback=test' },
             { body: '{"foo":"bar"}', status: 201, headers: { 'Content-Type': 'application/json', 'X-Foo': 'baz' }});