[#1057][xs] escape pjson callback

ckan · Feb 13, 2012 · 3d7cbf0 · 3d7cbf0
1 parent a608d92
commit 3d7cbf0
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/ckan/controllers/api.py b/ckan/controllers/api.py
@@ -1,4 +1,5 @@
 import logging
+import cgi
 
 from paste.util.multidict import MultiDict 
 from webob.multidict import UnicodeMultiDict
@@ -70,7 +71,8 @@ def _finish(self, status_int, response_data=None,
             if status_int==200 and request.params.has_key('callback') and \
                    (request.method == 'GET' or \
                     c.logic_function and request.method == 'POST'):
-                callback = request.params['callback']
+                # escape callback to remove '<', '&', '>' chars
+                callback = cgi.escape(request.params['callback'])
                 response_msg = self._wrap_jsonp(callback, response_msg)
         return response_msg