Closed tamasd closed 10 years ago
An attacker can turn a JSON endpoint's answer into a JSONP callback, by overriding the Array constructor. Adding a prefix to a JSON response, which makes response syntactically invalid, fixes this issue.
More information on this issue: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
This LGTM. Thanks for the contribution
An attacker can turn a JSON endpoint's answer into a JSONP callback, by overriding the Array constructor. Adding a prefix to a JSON response, which makes response syntactically invalid, fixes this issue.
More information on this issue: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx