Hacker News new | ask | show | jobs
by simonw 4363 days ago
That's due to an extremely complex (albeit easy to exploit) SWF reflection attack.

JSONP itself, though yucky, should still be safe from XSS given a /-star-star-/ prefix and a validated callback parameter.
1 comments
spacemanmatt 4363 days ago
> given a /-star-star-/ prefix and a validated callback parameter.

I think that is the "waiting to happen" part of my initial comment.

link