Do I need to sanitize the callback parameter from a JSONP call?

Question

I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter.

My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.):

header("Content-type: application/javascript");
echo $_GET['callback'] . '(' . json_encode($data) . ')';

This is a classic XSS-vulnerability.

If I need to sanitize it, then how? I was unable to find enough information about what might be allowed callback strings. I quote from Wikipedia:

While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other Javascript statement prefix.

Answer 1

Yes, when callback is like

(function xss(x){evil()})

When you echo back from php, will looks like

(function xss(x){evil()})(json)

function xss will run and evil() can be some codes sending cookies to somewhere else.

So, sanitize it to only valid function names, for example, limit it to alphanumeric