Description
The documentation for get() should mention the conditions under which it causes a XSS vulnerability, and describe what developers need to do to avoid introducing XSS when using get().
In particular, $.get(untrusted_url, function(...) {...}) is unsafe, if untrusted_url comes from an untrusted source (e.g., from the attacker, from another user). There are apparently two problems. First, if the attacker controls evil.com, the attacker can arrange for untrusted_url to hold something like http://evil.com/callback=? and then arrange for evil.com to respond to that request with malicious Javascript. JQuery's JSONP auto-detection will then eval the Javascript found in the response to that request, making the $.get() call a XSS vulnerability. Second, if the attacker controls evil.com, the attacker can arrange for untrusted_url to be any URL under evil.com and then arrange for evil.com to respond to that request with malicious Javascript served with a Content-Type set to something Javascript-like.
This is a foot-gun. It's not clear from the documentation for get() that it can introduce this kind of vulnerability when part or all of the URL can be controlled by the attacker. The documentation for get() has no mention of the fact that it might auto-guess JSONP and eval the response from the server, let alone the conditions under which this happens. It also does not mention that it might eval the response from the server, if its Content-Type is set to make it look like Javascript. The documentation doesn't describe what developers have to do to be safe.
Documenting this more clearly would help developers avoid inadvertent XSS vulnerabilities in their code.
[Is the following still true? I have not verified it, and it might no longer be the only safe way.] Apparently if the URL might be partially or completely under attacker control, the only safe way to fetch JSON from that URL is to use $.ajax(url, {dataType: 'json', jsonp: false});. In particular, it is necessary to set dataType to json and set the jsonp option to false. This fact is not apparent from the documentation -- it should be described in the documentation more clearly. Also there appears to be no way to set this combination of settings with the $.get() method, so when the URL might be under attacker control, it's necessary to use $.ajax().
See http://stackoverflow.com/q/29044209/ for details.
Re-filed from jquery/jquery#2174 per suggestion there. See also #732.