Hacker News new | ask | show | jobs
by eli 4363 days ago
The linked article demonstrates even just allowing attacker-controlled function name can allow an XSS hole!
1 comments
simonw 4363 days ago
That's due to an extremely complex (albeit easy to exploit) SWF reflection attack.

JSONP itself, though yucky, should still be safe from XSS given a /-star-star-/ prefix and a validated callback parameter.

link
spacemanmatt 4363 days ago
> given a /-star-star-/ prefix and a validated callback parameter.

I think that is the "waiting to happen" part of my initial comment.

link