From e1482553ca3e1a5afd5247c6e14404d232dfadb0 Mon Sep 17 00:00:00 2001
From: Neil Williams <neil@reddit.com>
Date: Fri, 11 Jan 2013 10:56:00 -0800
Subject: [PATCH] =?UTF-8?q?embed/wired/widget:=20Add=20callback=20validati?=
 =?UTF-8?q?on=20=C3=A0=20la=20JSONP.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 r2/r2/controllers/reddit_base.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/r2/r2/controllers/reddit_base.py b/r2/r2/controllers/reddit_base.py
index f603996da..6b00537e5 100644
--- a/r2/r2/controllers/reddit_base.py
+++ b/r2/r2/controllers/reddit_base.py
@@ -377,6 +377,8 @@ def set_content_type():
         if ext in ('embed', 'wired', 'widget'):
             wrapper = request.params.get("callback", "document.write")
             wrapper = filters._force_utf8(wrapper)
+            if not valid_jsonp_callback(wrapper):
+                abort(BadRequestError(errors.BAD_JSONP_CALLBACK))
 
             def to_js(content):
                 return wrapper + "(" + utils.string2js(content) + ");"