Release 1.0.5

This prevents JSONP callbacks from being used as an XSS vector. The set
of acceptable characters is intentionally more limited than the full
set of valid characters in JS identifiers in order to avoid complexity,
but this could be expanded in the future if necessary.

.gitmodules

@@ -16,3 +16,6 @@
 [submodule "support/jade"]
 	path = support/jade
 	url = git://github.com/visionmedia/jade.git
+[submodule "support/qs"]
+	path = support/qs
+	url = git://github.com/visionmedia/node-querystring.git

.npmignore

@@ -0,0 +1,4 @@
+test
+support
+examples
+docs

History.md

@@ -1,4 +1,33 @@
 
+1.0.5 / 2011-02-05 
+==================
+
+  * Added secret to generated app `session()` call
+
+1.0.4 / 2011-02-05 
+==================
+
+  * Added `qs` dependency to _package.json_
+  * Fixed namespaced `require()`s for latest connect support
+
+1.0.3 / 2011-01-13 
+==================
+
+  * Remove unsafe characters from JSONP callback names [Ryan Grove]
+
+1.0.2 / 2011-01-10 
+==================
+
+  * Removed nested require, using `connect.router`
+
+1.0.1 / 2010-12-29 
+==================
+
+  * Fixed for middleware stacked via `createServer()`
+    previously the `foo` middleware passed to `createServer(foo)`
+    would not have access to Express methods such as `res.send()`
+    or props like `req.query` etc.
+
 1.0.0 / 2010-11-16 
 ==================
 

Makefile

@@ -38,6 +38,7 @@ uninstall-docs:
 test:
 	@NODE_ENV=test ./support/expresso/bin/expresso \
 		-I lib \
+		-I support \
 		-I support/connect/lib \
 		-I support/haml/lib \
 		-I support/jade/lib \

Readme.md

@@ -69,7 +69,7 @@ The following are the major contributors of Express (in no specific order).
     
 The latest release of Express is compatible with node --version:
 
-    v0.2.4
+    v0.2.5
 
 and connect --version:
 

bin/express

@@ -12,7 +12,7 @@ var fs = require('fs')
  * Framework version.
  */
 
-var version = '1.0.0';
+var version = '1.0.5';
 
 /**
  * stdin stream.
@@ -145,10 +145,11 @@ var appTest = [
   , " * Module dependencies."
   , " */"
   , ""
-  , "var app = require('../app');"
+  , "var app = require('../app')"
+  , "  , assert = require('assert');"
   , "",
   , "module.exports = {"
-  , "  'GET /': function(assert){"
+  , "  'GET /': function(){"
   , "    assert.response(app,"
   , "      { url: '/' },"
   , "      { status: 200, headers: { 'Content-Type': 'text/html; charset=utf-8' }},"
@@ -320,7 +321,7 @@ function createApplicationAt(path) {
 
     // Session support
     app = app.replace(':SESS', sessions
-      ? '\n  app.use(express.cookieDecoder());\n  app.use(express.session());'
+      ? '\n  app.use(express.cookieDecoder());\n  app.use(express.session({ secret: \'your secret here\' }));'
       : '');
 
     // Template support

docs/guide.1

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GUIDE" "" "November 2010" "" ""
+.TH "GUIDE" "" "January 2011" "" ""
 .
 .SH "NAME"
 \fBguide\fR
@@ -32,21 +32,6 @@ $ npm install express
 .
 .IP "" 0
 .
-.P
-git clone, first update the submodules:
-.
-.IP "" 4
-.
-.nf
-
-$ git submodule update \-\-init
-$ make install
-$ make install\-support
-.
-.fi
-.
-.IP "" 0
-.
 .SS "Creating An Application"
 The \fIexpress\.Server\fR now inherits from \fIhttp\.Server\fR, however follows the same idiom by providing \fIexpress\.createServer()\fR as shown below\. This means that you can utilize Express server\'s transparently with other libraries\.
 .
@@ -80,14 +65,16 @@ app\.configure(function(){
     app\.use(express\.methodOverride());
     app\.use(express\.bodyDecoder());
     app\.use(app\.router);
-    app\.use(express\.staticProvider(__dirname + \'/public\'));
 });
 
 app\.configure(\'development\', function(){
+    app\.use(express\.staticProvider(__dirname + \'/public\'));
     app\.use(express\.errorHandler({ dumpExceptions: true, showStack: true }));
 });
 
 app\.configure(\'production\', function(){
+  var oneYear = 31557600000;
+    app\.use(express\.staticProvider({ root: __dirname + \'/public\', maxAge: oneYear }));
     app\.use(express\.errorHandler());
 });
 .
@@ -938,19 +925,22 @@ EJS \fIhttp://github\.com/visionmedia/ejs\fR Embedded JavaScript
 CoffeeKup \fIhttp://github\.com/mauricemach/coffeekup\fR CoffeeScript based templating
 .
 .IP "\(bu" 4
+Eco \fIhttp://github\.com/sstephenson/eco\fR Embedded CoffeeScript
+.
+.IP "\(bu" 4
 jQuery Templates \fIhttps://github\.com/kof/node\-jqtpl\fR for node
 .
 .IP "" 0
 .
 .SS "Session Support"
-Sessions support can be added by using Connect\'s \fIsession\fR middleware\. To do so we also need the \fIcookieDecoder\fR middleware place above it, which will parse and populate cookie data to \fIreq\.cookies\fR\.
+Sessions support can be added by using Connect\'s \fIsession\fR middleware\. To do so we also need the \fIcookieDecoder\fR middleware place above it, which will parse and populate cookie data to \fIreq\.cookies\fR\. The session middleware requires only a \fBsecret\fR\.
 .
 .IP "" 4
 .
 .nf
 
 app\.use(express\.cookieDecoder());
-app\.use(express\.session());
+app\.use(express\.session({ secret: \'keyboard cat\' }));
 .
 .fi
 .
@@ -965,7 +955,7 @@ By default the \fIsession\fR middleware uses the memory store bundled with Conne
 
 var RedisStore = require(\'connect\-redis\');
 app\.use(express\.cookieDecoder());
-app\.use(express\.session({ store: new RedisStore }));
+app\.use(express\.session({ store: new RedisStore, secret: \'keyboard cat\' }));
 .
 .fi
 .
@@ -981,7 +971,7 @@ Now the \fIreq\.session\fR and \fIreq\.sessionStore\fR properties will be access
 var RedisStore = require(\'connect\-redis\');
 app\.use(express\.bodyDecoder());
 app\.use(express\.cookieDecoder());
-app\.use(express\.session({ store: new RedisStore }));
+app\.use(express\.session({ store: new RedisStore, secret: \'keyboard cat\' }));
 
 app\.post(\'/add\-to\-cart\', function(req, res){
   // Perhaps we posted several items with a form
@@ -1160,7 +1150,7 @@ Checks urlencoded body params (\fIreq\.body\fR), ex: id=12
 To utilize urlencoded request bodies, \fIreq\.body\fR should be an object\. This can be done by using the \fIexpress\.bodyDecoder\fR middleware\.
 .
 .SS "req\.flash(type[, msg])"
-Queue flash \fImsg\fR of the given \fItype\fR\.
+Queue flash \fImsg\fR of the given \fItype\fR\. These messages are stored in the session (thus requiring the \fBsession\fR middleware), enabling them to span one or more requests before flushing\.
 .
 .IP "" 4
 .
@@ -1197,6 +1187,9 @@ req\.flash(\'info\', \'email delivery to _%s_ from _%s_ failed\.\', toUser, from
 .
 .IP "" 0
 .
+.P
+For HTML flash message check out the express\-contrib \fIhttps://github\.com/visionmedia/express\-contrib\fR library\.
+.
 .SS "req\.isXMLHttpRequest"
 Also aliased as \fIreq\.xhr\fR, this getter checks the \fIX\-Requested\-With\fR header to see if it was issued by an \fIXMLHttpRequest\fR:
 .

docs/guide.html

@@ -257,13 +257,6 @@
 <pre><code>$ npm install express
 </code></pre>
 
-<p>git clone, first update the submodules:</p>
-
-<pre><code>$ git submodule update --init
-$ make install
-$ make install-support
-</code></pre>
-
 <h3 id="Creating-An-Application">Creating An Application</h3>
 
 <p>The <em>express.Server</em> now inherits from <em>http.Server</em>, however
@@ -295,14 +288,16 @@ otherwise the first call to <em>app.{get,put,del,post}()</em> will mount the rou
     app.use(express.methodOverride());
     app.use(express.bodyDecoder());
     app.use(app.router);
-    app.use(express.staticProvider(__dirname + '/public'));
 });
 
 app.configure('development', function(){
+    app.use(express.staticProvider(__dirname + '/public'));
     app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
 });
 
 app.configure('production', function(){
+  var oneYear = 31557600000;
+    app.use(express.staticProvider({ root: __dirname + '/public', maxAge: oneYear }));
     app.use(express.errorHandler());
 });
 </code></pre>
@@ -822,23 +817,24 @@ for free:</p>
 <li><a href="http://github.com/visionmedia/haml.js">Haml</a> pythonic indented templates</li>
 <li><a href="http://github.com/visionmedia/ejs">EJS</a> Embedded JavaScript</li>
 <li><a href="http://github.com/mauricemach/coffeekup">CoffeeKup</a> CoffeeScript based templating</li>
+<li><a href="http://github.com/sstephenson/eco">Eco</a> Embedded CoffeeScript</li>
 <li><a href="https://github.com/kof/node-jqtpl">jQuery Templates</a> for node</li>
 </ul>
 
 
 <h3 id="Session-Support">Session Support</h3>
 
-<p>Sessions support can be added by using Connect's <em>session</em> middleware. To do so we also need the <em>cookieDecoder</em> middleware place above it, which will parse and populate cookie data to <em>req.cookies</em>.</p>
+<p>Sessions support can be added by using Connect's <em>session</em> middleware. To do so we also need the <em>cookieDecoder</em> middleware place above it, which will parse and populate cookie data to <em>req.cookies</em>. The session middleware requires only a <code>secret</code>.</p>
 
 <pre><code>app.use(express.cookieDecoder());
-app.use(express.session());
+app.use(express.session({ secret: 'keyboard cat' }));
 </code></pre>
 
 <p>By default the <em>session</em> middleware uses the memory store bundled with Connect, however many implementations exist. For example <a href="http://github.com/visionmedia/connect-redis">connect-redis</a> supplies a <a href="http://code.google.com/p/redis/">Redis</a> session store and can be used as shown below:</p>
 
 <pre><code>var RedisStore = require('connect-redis');
 app.use(express.cookieDecoder());
-app.use(express.session({ store: new RedisStore }));
+app.use(express.session({ store: new RedisStore, secret: 'keyboard cat' }));
 </code></pre>
 
 <p>Now the <em>req.session</em> and <em>req.sessionStore</em> properties will be accessible to all routes and subsequent middleware. Properties on <em>req.session</em> are automatically saved on a response, so for example if we wish to shopping cart data:</p>
@@ -846,7 +842,7 @@ app.use(express.session({ store: new RedisStore }));
 <pre><code>var RedisStore = require('connect-redis');
 app.use(express.bodyDecoder());
 app.use(express.cookieDecoder());
-app.use(express.session({ store: new RedisStore }));
+app.use(express.session({ store: new RedisStore, secret: 'keyboard cat' }));
 
 app.post('/add-to-cart', function(req, res){
   // Perhaps we posted several items with a form
@@ -978,7 +974,7 @@ the <em>express.bodyDecoder</em> middleware.</p>
 
 <h3 id="req-flash-type-msg-">req.flash(type[, msg])</h3>
 
-<p>Queue flash <em>msg</em> of the given <em>type</em>.</p>
+<p>Queue flash <em>msg</em> of the given <em>type</em>. These messages are stored in the session (thus requiring the <code>session</code> middleware), enabling them to span one or more requests before flushing.</p>
 
 <pre><code>req.flash('info', 'email sent');
 req.flash('error', 'email delivery failed');
@@ -1000,6 +996,8 @@ req.flash();
 <pre><code>req.flash('info', 'email delivery to _%s_ from _%s_ failed.', toUser, fromUser);
 </code></pre>
 
+<p>For HTML flash message check out the <a href="https://github.com/visionmedia/express-contrib">express-contrib</a> library.</p>
+
 <h3 id="req-isXMLHttpRequest">req.isXMLHttpRequest</h3>
 
 <p>Also aliased as <em>req.xhr</em>, this getter checks the <em>X-Requested-With</em> header

docs/guide.md

@@ -36,19 +36,21 @@ Note the use of _app.router_, which can (optionally) be used to mount the applic
 otherwise the first call to _app.{get,put,del,post}()_ will mount the routes.
 
     app.configure(function(){
-  		app.use(express.methodOverride());
-  		app.use(express.bodyDecoder());
-  		app.use(app.router);
-  		app.use(express.staticProvider(__dirname + '/public'));
-  	});
-	
-  	app.configure('development', function(){
-  		app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
-  	});
-	
-  	app.configure('production', function(){
-  		app.use(express.errorHandler());
-  	});
+    	app.use(express.methodOverride());
+    	app.use(express.bodyDecoder());
+    	app.use(app.router);
+    });
+
+    app.configure('development', function(){
+    	app.use(express.staticProvider(__dirname + '/public'));
+    	app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
+    });
+
+    app.configure('production', function(){
+      var oneYear = 31557600000;
+    	app.use(express.staticProvider({ root: __dirname + '/public', maxAge: oneYear }));
+    	app.use(express.errorHandler());
+    });
 
 For internal and arbitrary settings Express provides the _set(key[, val])_, _enable(key)_, _disable(key)_ methods:
 
@@ -515,27 +517,28 @@ Below are a few template engines commonly used with Express:
   * [Haml](http://github.com/visionmedia/haml.js) pythonic indented templates
   * [EJS](http://github.com/visionmedia/ejs) Embedded JavaScript
   * [CoffeeKup](http://github.com/mauricemach/coffeekup) CoffeeScript based templating
+  * [Eco](http://github.com/sstephenson/eco) Embedded CoffeeScript
   * [jQuery Templates](https://github.com/kof/node-jqtpl) for node
 
 ### Session Support
 
-Sessions support can be added by using Connect's _session_ middleware. To do so we also need the _cookieDecoder_ middleware place above it, which will parse and populate cookie data to _req.cookies_.
+Sessions support can be added by using Connect's _session_ middleware. To do so we also need the _cookieDecoder_ middleware place above it, which will parse and populate cookie data to _req.cookies_. The session middleware requires only a `secret`.
 
     app.use(express.cookieDecoder());
-    app.use(express.session());
+    app.use(express.session({ secret: 'keyboard cat' }));
 
 By default the _session_ middleware uses the memory store bundled with Connect, however many implementations exist. For example [connect-redis](http://github.com/visionmedia/connect-redis) supplies a [Redis](http://code.google.com/p/redis/) session store and can be used as shown below:
 
     var RedisStore = require('connect-redis');
     app.use(express.cookieDecoder());
-    app.use(express.session({ store: new RedisStore }));
+    app.use(express.session({ store: new RedisStore, secret: 'keyboard cat' }));
 
 Now the _req.session_ and _req.sessionStore_ properties will be accessible to all routes and subsequent middleware. Properties on _req.session_ are automatically saved on a response, so for example if we wish to shopping cart data:
 
     var RedisStore = require('connect-redis');
     app.use(express.bodyDecoder());
     app.use(express.cookieDecoder());
-    app.use(express.session({ store: new RedisStore }));
+    app.use(express.session({ store: new RedisStore, secret: 'keyboard cat' }));
 
     app.post('/add-to-cart', function(req, res){
       // Perhaps we posted several items with a form
@@ -656,7 +659,7 @@ the _express.bodyDecoder_ middleware.
 
 ### req.flash(type[, msg])
 
-Queue flash _msg_ of the given _type_.
+Queue flash _msg_ of the given _type_. These messages are stored in the session (thus requiring the `session` middleware), enabling them to span one or more requests before flushing.
 
     req.flash('info', 'email sent');
     req.flash('error', 'email delivery failed');
@@ -676,6 +679,8 @@ Flash notification message may also utilize formatters, by default only the %s s
 
     req.flash('info', 'email delivery to _%s_ from _%s_ failed.', toUser, fromUser);
 
+For HTML flash message check out the [express-contrib](https://github.com/visionmedia/express-contrib) library.
+
 ### req.isXMLHttpRequest
 
 Also aliased as _req.xhr_, this getter checks the _X-Requested-With_ header

examples/session/app.js

@@ -15,7 +15,7 @@ var app = express.createServer(
     //   - req.session
     //   - req.sessionStore
     //   - req.sessionID
-    express.session()
+    express.session({ secret: 'keyboard cat' })
 );
 
 app.get('/', function(req, res){

lib/express/index.js

@@ -19,7 +19,7 @@ var exports = module.exports = require('connect').middleware;
  * Framework version.
  */
 
-exports.version = '1.0.0';
+exports.version = '1.0.5';
 
 /**
  * Module dependencies.

lib/express/request.js

@@ -11,7 +11,7 @@
 
 var http = require('http')
   , utils = require('./utils')
-  , mime = require('connect/utils').mime;
+  , mime = require('connect').utils.mime;
 
 /**
  * Default flash formatters.

lib/express/response.js

@@ -13,8 +13,8 @@ var fs = require('fs')
   , http = require('http')
   , path = require('path')
   , pump = require('sys').pump
-  , utils = require('connect/utils')
-  , mime = require('connect/utils').mime
+  , utils = require('connect').utils
+  , mime = utils.mime
   , parseRange = require('./utils').parseRange;
 
 /**
@@ -85,7 +85,7 @@ http.ServerResponse.prototype.send = function(body, headers, status){
         body = JSON.stringify(body);
         if (this.req.query.callback && this.app.settings['jsonp callback']) {
           this.header('Content-Type', 'text/javascript');
-          body = this.req.query.callback + '(' + body + ');';
+          body = this.req.query.callback.replace(/[^\w$.]/g, '') + '(' + body + ');';
         }
       }
       break;

lib/express/server.js

@@ -14,7 +14,7 @@ var url = require('url')
   , connect = require('connect')
   , utils = connect.utils
   , queryString = require('querystring')
-  , router = require('connect/middleware/router');
+  , router = require('connect').router;
 
 /**
  * Initialize a new `Server` with optional `middleware`.
@@ -32,7 +32,7 @@ var Server = exports = module.exports = function Server(middleware){
   this.viewHelpers = {};
   this.dynamicViewHelpers = {};
   this.errorHandlers = [];
-  connect.Server.call(this, middleware || []);
+  connect.Server.call(this, []);
 
   // Default "home" to / 
   this.set('home', '/');
@@ -65,6 +65,13 @@ var Server = exports = module.exports = function Server(middleware){
     next();
   });
 
+  // Apply middleware
+  if (middleware) {
+    middleware.forEach(function(fn){
+      self.use(fn);
+    });
+  }
+
   // Use router, expose as app.get(), etc
   var fn = router(function(app){ self.routes = app; });
   this.__defineGetter__('router', function(){

package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Sinatra inspired web development framework",
-  "version": "1.0.0",
+  "version": "1.0.5",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [ 
     { "name": "TJ Holowaychuk", "email": "tj@vision-media.ca" }, 
@@ -9,7 +9,10 @@
     { "name": "Ciaran Jessup", "email": "ciaranj@gmail.com" },
     { "name": "Guillermo Rauch", "email": "rauchg@gmail.com" }
   ],
-  "dependencies": { "connect": ">= 0.3.0" },
+  "dependencies": {
+    "connect": ">= 0.5.x",
+    "qs": ">= 0.0.1"
+  },
   "keywords": ["framework", "sinatra", "web", "rest", "restful"],
   "directories": { "lib": "./lib/express" },
   "scripts": { "test": "make test" },

test/fixtures/layouts/pets.jade

@@ -0,0 +1,3 @@
+html
+  != partial('header', { locals: { title: 'Pets' }})
+  body!= body

test/fixtures/partials/header.jade

@@ -0,0 +1,2 @@
+head
+  title= title

test/request.test.js

@@ -114,7 +114,7 @@ module.exports = {
     'test #flash()': function(assert){
         var app = express.createServer(
             connect.cookieDecoder(),
-            connect.session({ store: memoryStore })
+            connect.session({ store: memoryStore, secret: 'wahoo' })
         );
 
         app.flashFormatters = {

test/response.test.js

@@ -63,6 +63,10 @@ module.exports = {
             { url: '/jsonp?callback=baz' },
             { body: 'baz({"foo":"bar"});', status: 201, headers: { 'Content-Type': 'text/javascript', 'X-Foo': 'baz' }});
 
+        assert.response(app,
+            { url: '/jsonp?callback=illegal()[]=;' },
+            { body: 'illegal({"foo":"bar"});', status: 201, headers: { 'Content-Type': 'text/javascript', 'X-Foo': 'baz' }});
+
         assert.response(app,
             { url: '/json?callback=test' },
             { body: '{"foo":"bar"}', status: 201, headers: { 'Content-Type': 'application/json', 'X-Foo': 'baz' }});

test/view.test.js

@@ -563,6 +563,32 @@ module.exports = {
             { body: html });
     },
     
+    'test #partial() in layout': function(assert){
+      var app = create();
+
+      app.get('/', function(req, res){
+        res.render('hello.jade', { layout: 'layouts/pets.jade' });
+      });
+
+      assert.response(app,
+        { url: '/' },
+        { body: '<html><head><title>Pets</title></head><body><p>:(</p></body></html>' });
+    },
+    
+    'test #partial() in layout with "view engine" setting': function(assert){
+      var app = create();
+
+      app.set('view engine', 'jade');
+
+      app.get('/', function(req, res){
+        res.render('hello', { layout: 'layouts/pets' });
+      });
+
+      assert.response(app,
+        { url: '/' },
+        { body: '<html><head><title>Pets</title></head><body><p>:(</p></body></html>' });
+    },
+    
     'test #partial() with array-like collection': function(assert){
         var app = create();