Custom Query (2152 matches)
Results (1267 - 1269 of 2152)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#1057 | fixed | JSONP parameter isn't escaped | dread | |
Description |
$ curl "http://127.0.0.1:5000/api/rest/package/annakarenina?callback=<script>jsoncallback" gives: <script>jsoncallback({"id": "c10ebd31-5b45-4f6f-885d-dca9b18caec4", "name": "annakarenina", "title": "A Novel By Tolstoy", which could run script code in the client who made the call. One idea for filtering: http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html Maybe just better to have a restricted whitelist of characters to be even more sure. Same as: https://trac.dataco.coi.gov.uk/projects/datagov/ticket/906 |
|||
#1437 | fixed | JSONP parameter in Action API | dread | dread |
Description |
Action API needs JSONP support - be able to return responses encapsulated in a function of a supplied name. This is important for remote sites running javascript to interact with a CKAN site. Specifying the callback parameter is the way we've achieved JSONP with the RESTful and Search APIs. It should work like this: curl http://test.ckan.net/api/action/package_show?callback=jsoncallback -d '{"id": "fd788e57-dce4-481c-832d-497235bf9f78"}' Or maybe the callback should be specified in the payload in the context or data_dict? (My understanding is that CORS is similar - when more browsers support it, can we drop JSONP?) |
|||
#342 | fixed | JSONP parameter in API | dread | dread |
Description |
As aCKAN client using JQuery I want tocall the CKAN API and instead of receiving back JSON I get JSONP. i.e. "%s(%s)" % (callback, json_content) Suggested implementationAll API calls allow the JSONP 'callback' parameter to be specified in the request and this wraps the JSON response. See suggested patch to rest.py by Donovan Hide: http://knowledgeforge.net/ckan/trac/attachment/ticket/336/resource.patch Testimport re import unittest def test_jsonp_callback():
I think the point needs to be made that JSONP only works for GET requests and not POST/PUT/DELETE, so there needs to be a check for that in the _finish_ok method. (thanks to Donovan Hide for test) |