HTML and CSS Reference
In-Depth Information
The cleaned up tests certainly are a lot easier to follow, and with the
send-
Request
helper method, writing new tests that make requests will be easier as
well. All tests pass and we can move on.
14.2.4.3 Malicious Data
Notice that we are currently accepting messages completely unfiltered. This can
lead to all kinds of scary situations, for instance consider the effects of the request
in Listing 14.20
Listing 14.20
Malicious request
{ "topic": "message",
"data": {
"user": "cjno",
"message":
"<script>window.location = 'http://hacked';</script>"
}
}
Before deploying an application like the one we are currently building we should
take care to not blindly accept any end user data unfiltered.
14.2.5 Responding to Requests
When the controller has added the message, it should respond and close the connec-
tion. In most web frameworks, output buffering and closing the connection happen
automatically behind the scenes. The HTTP server support in Node, however, was
consciously designed with data streaming and long polling in mind. For this reason,
data is never buffered, and connections are never closed until told to do so.
http.ServerResponse
objects offer a few methods useful to output a re-
sponse, namely
writeHead
, which writes the status code and response headers;
write
, which writes a chunk to the response body; and finally
end
.
14.2.5.1 Status Code
As there really isn't much feedback to give the user when a message is added,
Listing 14.21 simply expects
post
to respond with an empty “201 Created.”
Listing 14.21
Expecting status code 201
function controllerSetUp() {
/* ... */
var res = this.res = { writeHead: stub() };
