JSON.stringify </script>

Mike Samuel mikesamuel at gmail.com
Wed Sep 28 17:24:52 UTC 2016

I think defining an easy way to produce embeddable JSON is a great
idea, but it's not quite that simple.

https://github.com/OWASP/json-sanitizer#output captures some
requirements that I came up with for embedding JSON in HTML:

The output is well-formed JSON as defined by RFC 4627. The output
satisfies these additional properties:

* The output will not contain the substring (case-insensitively)
"</script" so can be embedded inside an HTML script element without
further encoding.
* The output will not contain the substring "]]>" so can be embedded
inside an XML CDATA section without further encoding.
* The output is a valid Javascript expression, so can be parsed by
Javascript's eval builtin (after being wrapped in parentheses) or by
JSON.parse. Specifically, the output will not contain any string
literals with embedded JS newlines (U+2028 Paragraph separator or
U+2029 Line separator).
* The output contains only valid Unicode scalar values (no isolated
UTF-16 surrogates) that are allowed in XML unescaped.

These apply equally well to RFC 7159 IIUC.  The latter few constraints
are required to allow embedding of JSON in HTML in a foreign content
context ( https://www.w3.org/TR/html5/syntax.html#cdata-sections ).

Those rules are sufficient to allow embedding in HTML without breaking
token boundaries in the embedding language.

To preserve semantics when embedding in HTML you also need to escape '&'.
To prevent exfiltration via external entities in SVG & other XML
variants, you should probably also escape '%'.

On Wed, Sep 28, 2016 at 10:06 AM, Michał Wadas <michalwadas at gmail.com> wrote:
> Idea: require implementations to stringify "</script>" as "<\uxxxxscript>".
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
> Backward compatible: yes, unless binary equality is required and this string
> is used.
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss

More information about the es-discuss mailing list