diff --git a/r2/r2/controllers/reddit_base.py b/r2/r2/controllers/reddit_base.py
index f603996da..6b00537e5 100644
--- a/r2/r2/controllers/reddit_base.py
+++ b/r2/r2/controllers/reddit_base.py
@@ -377,6 +377,8 @@ def set_content_type():
         if ext in ('embed', 'wired', 'widget'):
             wrapper = request.params.get("callback", "document.write")
             wrapper = filters._force_utf8(wrapper)
+            if not valid_jsonp_callback(wrapper):
+                abort(BadRequestError(errors.BAD_JSONP_CALLBACK))
 
             def to_js(content):
                 return wrapper + "(" + utils.string2js(content) + ");"