From 3d3f72aec678e2f5663794861258277f54bd93cf Mon Sep 17 00:00:00 2001
From: Allan Jardine <allan.jardine@sprymedia.co.uk>
Date: Wed, 15 Jul 2015 17:11:15 +0100
Subject: [PATCH] Fix - PHP: Validate the JSONP callback as a valid Javascript
 function

---
 .datatables-commit-sync                |  2 +-
 examples/server_side/scripts/jsonp.php | 13 ++++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/.datatables-commit-sync b/.datatables-commit-sync
index b55fd55a..76c47ce0 100644
--- a/.datatables-commit-sync
+++ b/.datatables-commit-sync
@@ -1 +1 @@
-a93fb4bfd244230f71f8c9dea10102f0b1cb4ff0
+76239c3054300b0e3658a9ab2fce901c255d1537
diff --git a/examples/server_side/scripts/jsonp.php b/examples/server_side/scripts/jsonp.php
index ee6c36c4..4aac77dc 100644
--- a/examples/server_side/scripts/jsonp.php
+++ b/examples/server_side/scripts/jsonp.php
@@ -63,7 +63,14 @@ $sql_details = array(
  */
 require( 'ssp.class.php' );
 
-echo $_GET['callback'].'('.json_encode(
-	SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
-).');';
+// Validate the JSONP to make use it is an okay Javascript function to execute
+$jsonp = preg_match('/^[$A-Z_][0-9A-Z_$]*$/i', $_GET['callback']) ?
+	$_GET['callback'] :
+	false;
+
+if ( $jsonp ) {
+	echo $jsonp.'('.json_encode(
+		SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
+	).');';
+}