embed/wired/widget: Add callback validation à la JSONP.

2026-01-28 00:07:57 -05:00 · 2013-01-11 10:56:00 -08:00
parent 116e9939aa
commit e1482553ca
1 changed files with 2 additions and 0 deletions
--- a/r2/r2/controllers/reddit_base.py
+++ b/r2/r2/controllers/reddit_base.py
@@ -377,6 +377,8 @@ def set_content_type():
        if ext in ('embed', 'wired', 'widget'):
            wrapper = request.params.get("callback", "document.write")
            wrapper = filters._force_utf8(wrapper)
+            if not valid_jsonp_callback(wrapper):
+                abort(BadRequestError(errors.BAD_JSONP_CALLBACK))

            def to_js(content):
                return wrapper + "(" + utils.string2js(content) + ");"