Changeset 37646 for trunk/src/wp-includes/functions.php

Timestamp:

06/06/2016 09:33:30 PM (9 years ago)

Author:

rachelbaker

Message:

REST API: Create the general wp_check_jsonp_callback() function for validating JSONP callback functions.

Move the REST API JSONP callback validation check into a separate function named wp_check_jsonp_callback(). This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with /**/. This will mitigate the Rosetta Flash exploit. You should also send the X-Content-Type-Options:nosniff header, or even better, use the REST API infrastructure.

Props rmccue.
Fixes #28523.

File:

• trunk/src/wp-includes/functions.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -3106 +3106 @@
 
 /**
+ * Check that a JSONP callback is a valid JavaScript callback.
+ *
+ * Only allows alphanumeric characters and the dot character in callback
+ * function names. This helps to mitigate XSS attacks caused by directly
+ * outputting user input.
+ *
+ * @since 4.6.0
+ *
+ * @param string $callback Supplied JSONP callback function.
+ * @return bool True if valid callback, otherwise false.
+ */
+function wp_check_jsonp_callback( $callback ) {
+    if ( ! is_string( $callback ) ) {
+        return false;
+    }
+
+    $jsonp_callback = preg_replace( '/[^\w\.]/', '', $callback, -1, $illegal_char_count );
+
+    return 0 === $illegal_char_count;
+}
+
+/**
  * Retrieve the WordPress home page URL.
  *