Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Jsonp Callback Validator

Jsonp Callback Validator Laravel Package

willdurand/jsonp-callback-validator

Validate JSONP callback names to prevent XSS. JsonpCallbackValidator checks whether a callback like JSONP.callback is safe and rejects malicious function payloads. Use via instance or static validate(), installable via Composer.

View on GitHub
Deep Wiki
Context7

JSONP callback validator.

Frequently asked questions about Jsonp Callback Validator
How do I integrate JsonpCallbackValidator into a Laravel API endpoint to validate JSONP callbacks?
Use middleware for API endpoints. Create a middleware class (e.g., `ValidateJsonpCallback`) that checks the `callback` query parameter with `JsonpCallbackValidator::validate()`. Register it in `app/Http/Kernel.php` and apply it to routes via middleware. This ensures validation happens before processing.
Does this package work with Laravel 9/10 and PHP 8.x?
Yes, the package is fully compatible with Laravel 9/10 and PHP 8.x. Version 2.0.0+ explicitly supports these environments, and the codebase is tested against modern PHP versions. No Laravel-specific dependencies exist, so it integrates seamlessly.
What happens if a callback fails validation? Should I return a 400 error or handle it differently?
The package itself only returns a boolean (`true`/`false`). In Laravel, you can return a `400 Bad Request` response with a JSON error payload (e.g., `['error' => 'Invalid callback']`) in middleware or reject the request early. Alternatively, log the failure and fallback to a JSON-only response if your API supports it.
Can I use this validator in a service layer instead of middleware?
Absolutely. Wrap the validator in a service class (e.g., `JsonpValidator`) and inject it into controllers or other services. Call `JsonpCallbackValidator::validate()` before constructing the JSONP response. This approach is useful if you validate callbacks in multiple places or need reusable logic.
What types of JSONP callbacks does this package reject? Are there false positives?
The validator rejects callbacks containing malicious patterns like `eval()`, `function`, or obfuscated XSS payloads (e.g., `(function xss(){...})`). False positives are possible if your app uses valid but unconventional callback names (e.g., `callback=JSONP[0].onReady`). Test with your real-world payloads to ensure it aligns with your threat model.
Is there a performance impact if I validate every request, even non-JSONP ones?
The validator is lightweight and runs in microseconds. However, validating every request is unnecessary. Use middleware to restrict validation to JSONP endpoints only (e.g., routes with `callback` parameters). This avoids overhead while maintaining security.
How does this compare to writing a custom regex for JSONP validation?
This package is more robust than a custom regex because it’s battle-tested against known XSS vectors and edge cases. It also follows security best practices (e.g., rejecting callbacks with `function` keywords). Custom regexes risk missing obfuscated payloads or being overly permissive.
Can I use Laravel’s built-in Validator facade instead of this package?
Yes, but you’d need to create a custom validation rule. This package is specialized for JSONP callbacks and handles edge cases (e.g., nested functions, obfuscation) that a generic rule might miss. For simplicity and security, this package is the better choice if you’re exclusively validating JSONP.
What if my JSONP callback names are dynamic (e.g., user-provided) vs. static (e.g., hardcoded like `jsonp_callback`)?
Dynamic callbacks are higher risk and require strict validation. This package is designed for user-provided callbacks. If you use static names, you can skip validation entirely or whitelist them. For dynamic cases, always validate to prevent XSS, even if the risk seems low.
How do I test this package in my Laravel application?
Mock the validator in unit tests by injecting a fake instance or using dependency injection containers like Laravel’s `Mockery`. Test both valid (e.g., `JSONP.callback`) and malicious (e.g., `callback=alert(1)`) payloads. For integration tests, simulate HTTP requests with the `callback` parameter and verify responses.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
yandex/translate-api
voku/simple_html_dom
league/flysystem-vfs
bkwld/upchuck
filament/spatie-laravel-tags-plugin
capell-app/block-library
axium/identity
cetria/laravel-dummy-models
cetria/reflection-helper
agropredict/sso-auth-bundle
evolvestudio/spam-protection
datacore/hub-sdk
develia/commons
cuci/prototurk-sdk
cuci/prototurk-sdk-symfony
develia/geo-bundle
dreamzy/livewire-charts
touchestate-sdk/php-sdk
22h/doctrine-garbage-collection-bundle
agtp/agtp-php