Custom Query (2152 matches)
Results (886 - 888 of 2152)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#1057 | fixed | JSONP parameter isn't escaped | dread | |
Description |
$ curl "http://127.0.0.1:5000/api/rest/package/annakarenina?callback=<script>jsoncallback" gives: <script>jsoncallback({"id": "c10ebd31-5b45-4f6f-885d-dca9b18caec4", "name": "annakarenina", "title": "A Novel By Tolstoy", which could run script code in the client who made the call. One idea for filtering: http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html Maybe just better to have a restricted whitelist of characters to be even more sure. Same as: https://trac.dataco.coi.gov.uk/projects/datagov/ticket/906 |
|||
#2613 | wontfix | Javascript functionality | aron.carroll | shevski |
Description |
|
|||
#532 | invalid | Just a test - please ignore | johnbywater | johnbywater |
Note: See TracQuery
for help on using queries.