Type: Non-persistent
Criteria: None
http://game.ijji.com/gems.nhn?m=getGemHistoryJSON&callback=alert(%27xss%27);//
The variable callback should whitelist an array of characters allowed. In the case of a JSON callback function, A-Z, a-z and 0-9 would be fine. The pages which call this script already conform to the proposed fix, so no other editing is required.
Advertisement
