From d23ca7df4fdadb41111d49e8d177decb4a21e3c7 Mon Sep 17 00:00:00 2001
From: Felix Hao <guanguan241@gmail.com>
Date: Wed, 24 Apr 2019 09:38:57 +0800
Subject: [PATCH] fix http response XSS (#26)

---
 pkg/net/http/blademaster/context.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/net/http/blademaster/context.go b/pkg/net/http/blademaster/context.go
index 1879bd3de..10d051f79 100644
--- a/pkg/net/http/blademaster/context.go
+++ b/pkg/net/http/blademaster/context.go
@@ -5,6 +5,7 @@ import (
 	"math"
 	"net/http"
 	"strconv"
+	"text/template"
 
 	"github.com/bilibili/kratos/pkg/ecode"
 	"github.com/bilibili/kratos/pkg/net/http/blademaster/binding"
@@ -144,9 +145,8 @@ func (c *Context) Render(code int, r render.Render) {
 	}
 
 	params := c.Request.Form
-
-	cb := params.Get("callback")
-	jsonp := cb != "" && params.Get("jsonp") == "jsonp"
+	cb := template.JSEscapeString(params.Get("callback"))
+	jsonp := cb != ""
 	if jsonp {
 		c.Writer.Write([]byte(cb))
 		c.Writer.Write(_openParen)