This is really easy (patch attached) - if there is jsonp_callback query attribute available - wrap json response into callback function specified by this attribute.

CommentFileSizeAuthor
jsonp-callback.patch1.05 KBpavel.karoukin

Comments

pebosi’s picture

pebosi commented
Status: Needs review » Needs work

Hi,

would'nt it be better not to print $_GET['jsonp_callback'] without filtering.

Regards

antwanvdm’s picture

antwanvdm commented

I think you should always filter input that could be manipulated by users. You think that might be the case in this situation?

oskar_calvo’s picture

oskar_calvo commented

the patch works?

Oskar

pavel.karoukin’s picture

pavel.karoukin commented

Valid point with xss. I am no longer working on a project which used this module. Could someone try to wrap $_GET['json_callback'] into check_plain() before outputting and see if this close xss hole?