fix: fall back to JSON when JSONP callback sanitizes to empty

lib/response.js

@@ -277,14 +277,16 @@ res.jsonp = function jsonp(obj) {
     callback = callback[0];
   }
 
+  // restrict callback charset
+  if (typeof callback === 'string') {
+    callback = callback.replace(/[^\[\]\w$.]/g, '');
+  }
+
   // jsonp
   if (typeof callback === 'string' && callback.length !== 0) {
     this.set('X-Content-Type-Options', 'nosniff');
     this.set('Content-Type', 'text/javascript');
 
-    // restrict callback charset
-    callback = callback.replace(/[^\[\]\w$.]/g, '');
-
     if (body === undefined) {
       // empty argument
       body = ''

test/res.jsonp.js

@@ -87,6 +87,22 @@ describe('res', function(){
       .expect(200, /foobar\(\{\}\);/, done);
     })
 
+    it('should not use JSONP when callback sanitizes to empty', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.jsonp({ count: 1 });
+      });
+
+      // A callback of all disallowed characters sanitizes to an empty string.
+      // This should fall back to plain JSON, not produce invalid JavaScript
+      // like: /**/ typeof  === 'function' &&  ({"count":1});
+      request(app)
+      .get('/?callback=!!!')
+      .expect('Content-Type', 'application/json; charset=utf-8')
+      .expect(200, '{"count":1}', done);
+    })
+
     it('should escape utf whitespace', function(done){
       var app = express();