JSON.stringify </script>

Michał Wadas michalwadas at gmail.com
Wed Sep 28 17:06:31 UTC 2016


Idea: require implementations to stringify "</script>" as "<\uxxxxscript>".

Benefits: remove XSS vulnerability when injecting JSON as content of
<script> tag (quite common antipattern).

Backward compatible: yes, unless binary equality is required and this
string is used.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20160928/79619eca/attachment.html>


More information about the es-discuss mailing list