Skip to main content

Is this safe for providing JSONP?

Image
By User 




<?php header('content-type: application/json');



$json = json_encode($data);



echo isset($_GET['callback'])

    ? "{$_GET['callback']}($json)"

    : $json;







Or should I for example filter the $_GET['callback'] variable so that it only contains a valid JavaScript function name? If so, what are valid JavaScript function names?





Or is not filtering that variable a bit of the point with JSONP?







Current solution: Blogged about my current solution at http://www.geekality.net/?p=1021 . In short, for now, I have the following code, which hopefully should be pretty safe:







<?php header('content-type: application/json; charset=utf-8');



function is_valid_callback($subject)

{

     $identifier_syntax

       = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*+$/u';



     $reserved_words = array('break', 'do', 'instanceof', 'typeof', 'case',

       'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 

       'for', 'switch', 'while', 'debugger', 'function', 'this', 'with', 

       'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 

       'extends', 'super', 'const', 'export', 'import', 'implements', 'let', 

       'private', 'public', 'yield', 'interface', 'package', 'protected', 

       'static', 'null', 'true', 'false');



     return preg_match($identifier_syntax, $subject)

         && ! in_array(mb_strtolower($subject, 'UTF-8'), $reserved_words);

}



$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);

$json = json_encode($data);



# JSON if no callback

if( ! isset($_GET['callback']))

     exit( $json );



# JSONP if valid callback

if(is_valid_callback($_GET['callback']))

     exit( "{$_GET['callback']}($json)" );



# Otherwise, bad request

header('Status: 400 Bad Request', true, 400);





Source: Tips4all
Labels:

Comments

  1. Tips For AllApril 6, 2012 at 7:34 AM

    No, if you intend to limit the JSONP to select domains. Specify the encoding too or people who shouldn't be able to access the JSON can possibly do UTF-7 injection attacks. Use this header instead:

    header('Content-Type: application/json; charset=utf-8');


    If it's supposed to be a public JSONP service, then yes it is safe, and also use application/javascript instead of application/json.

    ReplyDelete
  2. Tips For AllApril 6, 2012 at 7:34 AM

    I think it is safe. As long as you do not echo $_GET['callback'] in another page without escaping. The one who does the request can put whatever js he wants in it, I think it will always be his problems, not yours. This page provides the definition of a valid js function name : http://www.functionx.com/javascript/Lesson05.htm

    ReplyDelete

Post a Comment

Popular posts from this blog

[韓日関係] 首相含む大幅な内閣改造の可能性…早ければ来月10日ごろ=韓国

By Unknown
Post a Comment
Read more

div not scrolling properly with slimScroll plugin

By User
I am using the slimScroll plugin for jQuery by Piotr Rochala Which is a great plugin for nice scrollbars on most browsers but I am stuck because I am using it for a chat box and whenever the user appends new text to the boxit does scroll using the .scrollTop() method however the plugin's scrollbar doesnt scroll with it and when the user wants to look though the chat history it will start scrolling from near the top. I have made a quick demo of my situation http://jsfiddle.net/DY9CT/2/ Does anyone know how to solve this problem?
1 comment
Read more

Why does this javascript based printing cause Safari to refresh the page?

By User
The page I am working on has a javascript function executed to print parts of the page. For some reason, printing in Safari, causes the window to somehow update. I say somehow, because it does not really refresh as in reload the page, but rather it starts the "rendering" of the page from start, i.e. scroll to top, flash animations start from 0, and so forth. The effect is reproduced by this fiddle: http://jsfiddle.net/fYmnB/ Clicking the print button and finishing or cancelling a print in Safari causes the screen to "go white" for a sec, which in my real website manifests itself as something "like" a reload. While running print button with, let's say, Firefox, just opens and closes the print dialogue without affecting the fiddle page in any way. Is there something with my way of calling the browsers print method that causes this, or how can it be explained - and preferably, avoided? P.S.: On my real site the same occurs with Chrome. In the ex
5 comments
Read more