Skip to content

Commit 5d8fecf

Browse files
MPOS123MPOS123
committed
[SECRUITY] Fix XSS vulnerability in API Callback
1 parent c381af8 commit 5d8fecf

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

include/classes/api.class.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,10 @@ function get_json($data, $force=false) {
3737
)), $force ? JSON_FORCE_OBJECT : 0
3838
);
3939
// JSONP support issue #1700
40-
if (isset($_REQUEST['callback']))
40+
if (isset($_REQUEST['callback']) && ctype_alpha($_REQUEST['callback'])) {
41+
header('Content-type: application/json; charset=utf-8');
4142
return $_REQUEST['callback'] . '(' . $json . ');';
43+
}
4244
return $json;
4345
}
4446

0 commit comments

Comments
 (0)