JSON seems to be the only intended return type

[bjovanovic]

Wrapping content in callback( without quotes/escaping it works well for json content, however it does not work for e.g. html. When trying to pull html cross domain with jsonp (with this module) result is callback(<html...</html>) without any quotes and/or escaping.

We either need a flag of some kind or some other method (including content detection) to determine if the returned content is pure json or something else, and if something else, wrap it in quotes/escape contents.

[agentzh]

@bjovanovic Yes, we could add an nginx configuration directive to enable a mode that ngx_xss always quote the response as JSON strings. Will you contribute a patch for this?

[bjovanovic]

@agentzh Not really super skilled in c/writing stuff in nginx plugins, so not sure I would know how to do this production quality.

Also, not sure that a simple flag would do.. For instance we do want to be able to GET both JSON and HTML files cross domain in our project - for different purposes.

[agentzh]

@bjovanovic Well, for more complicated logic, you're recommended to use the ngx_lua module instead: https://github.com/chaoslawful/lua-nginx-module#readme And you'll have more than one option to choose from, ready for production use.