Is this safe for providing JSONP?

Answer 1

To be safe, you should encode callback to only allow valid JS function names. Nothing complex, just don't allow end-developers to inject any javascript. Here's some code:

=48) && ($o<=57))     // numbers
                || (($o>=97) && ($o<=122))    // lowercase
                || (($o>=65) && ($o<=90))     // uppercase
                || ($orig{$i}=='_')))         // underscore
                   $orig{$i}=$replace;        // check failed, use replacement
        }
        return $orig;
    }

    $json=json_encode($data)

    echo isset($_GET['callback'])
        ? strtoident($_GET['callback']).'('.$json.');'
        : $json;

?>

Edit:

The reason is to avoid hackers pointing innocent victims to:

http://yoursite.com/jsonp.php?callback=(function(){ $(document.body).append(''); })//

Which can be broken down to:

(function(){
    $(document.body).append(
        ''
    );
})//("whatever");

With the latter part being the json you encoded, easily cancelled out with a comment (though unnecessary for their exploit to work). Basically, the hacker gets to know the user's cookies (among other things) which helps him gain access to the user's account with your website.

Edit: UTF-8 Compatibility. In order to substantiate my claims, read here. Or:

Like UTF-16 and UTF-32, UTF-8 can represent every character in the Unicode character set. Unlike them, it is backward-compatible with ASCII and avoids the complications of endianness and byte order marks (BOM).