Make sure generated tokens are never valid JavaScript

2026-02-20 05:07:19 +08:00 · 2015-06-25 10:47:30 +00:00 · 2015-06-25 10:47:30 +00:00 · 6dd0764e91
commit 6dd0764e91
parent d77d0c2e02
1 changed files with 4 additions and 1 deletions
--- a/node_modules/c9/uid.js
+++ b/node_modules/c9/uid.js
@ -8,5 +8,8 @@ module.exports = function(length) {
            .toString("base64")
            .replace(/[^a-zA-Z0-9]/g, "");
    }
-    return uid.slice(0, length);
+    // HACK: make sure unique id is never syntactically valid JavaScript
+    // See http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/
+    uid = "9c" +uid.slice(0, length - 2);
+    return uid;
 };