Please sign in to comment.
Remove unsafe characters from JSONP callback names.
This prevents JSONP callbacks from being used as an XSS vector. The set of acceptable characters is intentionally more limited than the full set of valid characters in JS identifiers in order to avoid complexity, but this could be expanded in the future if necessary.
- Loading branch information...
Showing with 5 additions and 1 deletion.