public override async Task WriteResponseBodyAsync(OutputFormatterWriteContext context, Encoding selectedEncoding) { if (context == null) { throw new ArgumentNullException(nameof(context)); } string callback; if (IsJsonpRequest(context.HttpContext.Request, _callbackQueryParameter, out callback)) { if (!CallbackValidator.IsValid(callback)) { throw new InvalidOperationException($"Callback '{callback}' is invalid!"); } using (var writer = context.WriterFactory(context.HttpContext.Response.Body, selectedEncoding)) { // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse" // the typeof check is just to reduce client error noise var str = "/**/ typeof " + callback + " === 'function' && " + callback + "("; str += context.Object + ");"; writer.Write("/**/ typeof " + callback + " === 'function' && " + callback + "("); writer.Flush(); _jsonMediaTypeFormatter.WriteObject(writer, context.Object); writer.Write(");"); await writer.FlushAsync(); } } else { await _jsonMediaTypeFormatter.WriteResponseBodyAsync(context, selectedEncoding); } }
public void IsValid(string callback, bool isValid) { Assert.That(CallbackValidator.IsValid(callback), Is.EqualTo(isValid)); }