From 5d8fecfd812bd74c320919b2e3dfd25421c17dc8 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Tue, 10 Jun 2014 09:45:10 +0200
Subject: [PATCH] [SECRUITY] Fix XSS vulnerability in API Callback

---
 include/classes/api.class.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/classes/api.class.php b/include/classes/api.class.php
index 913a1f03..bc6670f3 100644
--- a/include/classes/api.class.php
+++ b/include/classes/api.class.php
@@ -37,8 +37,10 @@ class Api extends Base {
       )), $force ? JSON_FORCE_OBJECT : 0
     );
     // JSONP support issue #1700
-    if (isset($_REQUEST['callback']))
+    if (isset($_REQUEST['callback']) && ctype_alpha($_REQUEST['callback'])) {
+      header('Content-type: application/json; charset=utf-8');
       return $_REQUEST['callback'] . '(' . $json . ');';
+    }
     return $json;
   }