Page MenuHomePhabricator

Please, may we use square brackets in JSON callbacks?
Closed, ResolvedPublic

Description

Author: kent_brewster

Description:
It would be enormously useful to be able to use square brackets in JSON callbacks, like so:

&callback=foo[4]

... or like so:

&callback=foo%5B4%5D

Thanks very much!


Version: unspecified
Severity: enhancement
URL: http://en.wikipedia.org/w/api.php

Details

Reference
bz12136

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:57 PM
bzimport set Reference to bz12136.

(In reply to comment #0)

It would be enormously useful to be able to use square brackets in JSON
callbacks, like so:

&callback=foo[4]

How in the name of hell can foo[4] (an array element) be a valid JavaScript function? Do you have an array of functions? An array of function pointers? Is that even *possible* in JavaScript?

Closing as INVALID for now.

Yes, that's entirely possible in JavaScript. I can't say I'd recommend it for readability purposes, though. :)

kent_brewster wrote:

Functions can be members of arrays, and their indices are available inside; this comes in handy when you need to know which of many possible responses to an API query you're looking at. Vital for Web apps that might make more than one query to the same API before reloading the page.

Here is some generic code:

// create an empty array:
var ping = [];

// after you've recieved a value for myQuery, create a function to receive results:
var n = ping.length;
ping[n] = function(result) {
   if (result.totalResultsAvailable) {
      alert('Results found: ' + result.totalResultsAvailable);
   } else {
      alert('Nothing found, sorry!');
   }
   var s = document.getElementById(ping[n]);
   if (s !== 'undefined') {
      s.parentNode.removeChild(s);
   }
   delete ping[n];
};

// create an API call
var myCallback= 'ping[' + n + ']';
var url = 'http://your.api.com/?callback=' + myCallback + '&query=' + myQuery;
var s = document.createElement('SCRIPT');
s.id = callback;

// append a script node with the call
document.getElementsByTagName('BODY')[0].appendChild(s);

I have a presentation online here:

http://kentbrewster.com/wiki-widget

... that shows this technique in use, if you're interested.

Even then, can't use just do

var myFunc = funcArr[n];

and use myFunc() as a callback?

Bryan.TongMinh wrote:

Does this introduce security problems? Do we need to check whether the callback is valid JS?

kent_brewster wrote:

Roan: yes, but you still need to pass n to funcArr[n], right? Or am I missing something?

Bryan: it's probably already been taken care of in your filtering. As long as you're only allowing integers between those square brackets, you're fine.

If you look at http://developer.yahoo.com/common/json.html, you'll see that one of the world's biggest providers of API data does this with all their calls; so far, nothing bad has happened.

Bryan.TongMinh wrote:

That basically means that we would have to drop the filtering that is done on the callback parameter. No problems with that as far as I can see. Brion?

Well, I might recommend a basic sanity check; returning completely arbitrary input might be used to generate special file download links, say a big ol' EXE file with some junk JSON at the end. :)

I'm gonna look into this some time this week.

Bryan.TongMinh wrote:

Fixed in r32822: Extended allowed characters in JSON callback to ][.'"_A-Za-z0-9