REST API: Create the general wp_check_jsonp_callback() function for validating JSONP callback functions.

Move the REST API JSONP callback validation check into a separate function named `wp_check_jsonp_callback()`. This allows plugins to use the built-in validation when handling JSONP callbacks. Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with `/**/`. This will mitigate the Rosetta Flash exploit. You should also send the `X-Content-Type-Options:nosniff` header, or even better, use the REST API infrastructure. Props rmccue. Fixes #28523. git-svn-id: https://develop.svn.wordpress.org/trunk@37646 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 22:30:04 +00:00 · 2016-06-06 21:33:30 +00:00
parent 9da22fc4d9
commit 25c3618138
3 changed files with 49 additions and 8 deletions
--- a/tests/phpunit/tests/rest-api.php
+++ b/tests/phpunit/tests/rest-api.php
@@ -322,4 +322,29 @@ class Tests_REST_API extends WP_UnitTestCase {

 	}

+	public function jsonp_callback_provider() {
+		return array(
+			// Standard names
+			array( 'Springfield', true ),
+			array( 'shelby.ville', true ),
+			array( 'cypress_creek', true ),
+			array( 'KampKrusty1', true ),
+
+			// Invalid names
+			array( 'ogden-ville', false ),
+			array( 'north haverbrook', false ),
+			array( "Terror['Lake']", false ),
+			array( 'Cape[Feare]', false ),
+			array( '"NewHorrorfield"', false ),
+			array( 'Scream\\ville', false ),
+		);
+	}
+
+	/**
+	 * @dataProvider jsonp_callback_provider
+	 */
+	public function test_jsonp_callback_check( $callback, $valid ) {
+		$this->assertEquals( $valid, wp_check_jsonp_callback( $callback ) );
+	}
+
 }