JSON CallBack类型的链接，这类出现在几乎各大Web 2.0网站中。修补这类安全问题很简单，只要在目标网页开头部分强制加一个空格即可，这样BOM头就无效了。

558738ad · astaxie · 0fb7d4ba · 558738ad
Commit 558738ad authored Nov 08, 2013 by astaxie
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

output.go context/output.go +1 -1

No files found.
--- a/context/output.go
+++ b/context/output.go
@@ -158,7 +158,7 @@ func (output *BeegoOutput) Jsonp(data interface{}, hasIndent bool) error {
 	if callback == "" {
 		return errors.New(`"callback" parameter required`)
 	}
-	callback_content := bytes.NewBufferString(template.JSEscapeString(callback))
+	callback_content := bytes.NewBufferString(" " + template.JSEscapeString(callback))
 	callback_content.WriteString("(")
 	callback_content.Write(content)
 	callback_content.WriteString(");\r\n")