Prevent XSS in JSONP callback

Replaces #103

See: http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call

Author: willdurand

Controller/Controller.php

@@ -17,8 +17,9 @@
 use Symfony\Component\Config\ConfigCache;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\HttpKernel\Kernel;
 use Symfony\Component\HttpFoundation\Session\Flash\AutoExpireFlashBag;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\Kernel;
 
 /**
  * Controller class.
@@ -100,7 +101,11 @@ public function indexAction(Request $request, $_format)
 
         $content = file_get_contents((string) $cache);
 
-        if ($callback = $request->query->get('callback')) {
+        if (null !== $callback = $request->query->get('callback')) {
+            if (false === ctype_alnum($callback)) {
+                throw new HttpException(400, 'Invalid JSONP callback value');
+            }
+
             $content = $callback.'('.$content.');';
         }
 

Tests/Controller/ControllerTest.php

@@ -47,6 +47,15 @@ public function testGenerateWithCallback()
         $this->assertEquals('foo({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $response->getContent());
     }
 
+    /**
+     * @expectedException Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    public function testGenerateWithInvalidCallback()
+    {
+        $controller = new Controller($this->getSerializer(), $this->getExtractor());
+        $response   = $controller->indexAction($this->getRequest('/', 'GET', array('callback' => '(function xss(x){evil()})')), 'json');
+    }
+
     public function testIndexActionWithoutRoutes()
     {
         $controller = new Controller($this->getSerializer(), $this->getExtractor(), array(), sys_get_temp_dir());