Description
The documentation for getJSON() should mention the conditions under which it causes a XSS vulnerability, and describe what developers need to do to avoid introducing XSS when using getJSON().
In particular, $.getJSON(untrusted_url, function(...) {...}) is unsafe, if untrusted_url comes from an untrusted source (e.g., from the attacker, from another user). If the attacker controls evil.com, the attacker can arrange for untrusted_url to hold something like http://evil.com/callback=? and then arrange for evil.com to respond to that request with malicious Javascript. JQuery's JSONP auto-detection will then eval the Javascript found in the response to that request, making the $.getJSON() call a XSS vulnerability.
This is a foot-gun. It's not clear from the documentation for getJSON() that it can introduce this kind of vulnerability when part or all of the URL can be controlled by the attacker. Documenting this more clearly would help developers avoid inadvertent XSS vulnerabilities in their code.
[Is the following still true? I have not verified it, and it might no longer be the only safe way.] Apparently if the URL might be partially or completely under attacker control, the only safe way to fetch JSON from that URL is to use $.ajax(url, {dataType: 'json', jsonp: false});. This fact is not apparent from the documentation -- it should be described in the documentation more clearly.
See http://stackoverflow.com/q/29022794/ for details.
Re-filed from jquery/jquery#2173, as that was the wrong place to file it. See also #755 and #732; this could be combined with those two. Probably it suffices to have one issue to cover these, but I thought I'd record the full details and justification so there's a description of them.