Callback not added in certain circumstances

[smulube]

Hi,

we're using your module in production, and we've just had a user report an issue that I'd like to raise with you which causes the callback wrapper not to be added when I think it probably should.

GET http://example.com/123.json
{"json":true}

GET http://example.com/123.json?callback=foo_bar
foo_bar({"json":true});

GET http://example.com/123.json?callback=foo.bar
foo.bar({"json":true});

all as you'd expect but:

GET http://example.com/123.json?callback=foo._bar
{"json":true}

and in the last case it logs:

xss: bad callback argument: "foo._bar"

in nginx's error log.

Is this just an obscure edge case that hasn't come up before, or is there some deeper reason why that callback isn't being added that I'm not seeing (which is entirely possible).

Many thanks for any advice.

best regards

Sam

[agentzh]

On Fri, Nov 4, 2011 at 7:10 AM, Sam Mulube reply@reply.github.com wrote:

all as you'd expect but:

   GET http://example.com/123.json?callback=foo._bar    {"json":true}

and in the last case it logs:

   xss: bad callback argument: "foo._bar"

in nginx's error log.

Thanks for the report. This is indeed a bug in the callback name parser. I'll fix it later today.

Thanks! -agentzh

[smulube]

awesome, thanks.

[agentzh]

On Fri, Nov 4, 2011 at 8:34 AM, agentzh agentzh@gmail.com wrote:

and in the last case it logs:    xss: bad callback argument: "foo._bar" in nginx's error log.

Thanks for the report. This is indeed a bug in the callback name parser. I'll fix it later today.

I've already fixed this in the v0.03rc5 (pre)release:

https://github.com/agentzh/xss-nginx-module/tags

Could you please try it out?

Thanks! -agentzh

[smulube]

Thanks, will let you know when we manage to test it out.

[agentzh]

Consider it resolved.