alex at weej.com
Wed Sep 28 18:31:47 UTC 2016
That's awful. As you say, it's an antipattern, no further effort should be
slapping directly into a script tag unencoded, so no-one else should have
Instead, use XHTML and CDATA (which has a straightforward encoding
mechanism that doesn't ruin the parseability of the code or affect it in
any way) if you really want to pull stunts like this.
On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com> wrote:
> Idea: require implementations to stringify "</script>" as
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
> Backward compatible: yes, unless binary equality is required and this
> string is used.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss