Open QiAnXinCodeSafe opened 3 years ago
We should just remove support for JSONP and use plain JSON. This will require updating the frontend too.
I've expanded the original issue to encompass the suggestion by @wetneb
Note that rather than just silently converting JSONP requests and responding with JSON, we should ideally return an error to help the caller (who might be us!) figure out what's going on.
per https://github.com/OpenRefine/OpenRefine/issues/4082#issuecomment-1020944785 - Remove use of JSONP callbacks and use pure JSON instead. This will require changes on both the front and back ends.
This is a generalization of the originally reported issue below:
https://github.com/OpenRefine/OpenRefine/blob/409cf2c30097ae7a5981e941d4bbee49896cd590/main/src/com/google/refine/commands/row/GetRowsCommand.java#L149-L165
Sending unvalidated data to a web browser can result in the browser executing malicious code.
In line 149, ‘callback’ is regarded to as tainted data, it will be affect line 165.