JSON.stringify </script>

Alexander Jones alex at weej.com
Wed Sep 28 18:31:47 UTC 2016


That's awful. As you say, it's an antipattern, no further effort should be
spent on this. JSON produced by JavaScript has far more general uses than
slapping directly into a script tag unencoded, so no-one else should have
to see this. Also, there are many other producers of JSON than JavaScript.

Instead, use XHTML and CDATA (which has a straightforward encoding
mechanism that doesn't ruin the parseability of the code or affect it in
any way) if you really want to pull stunts like this.

Alex

On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com> wrote:

> Idea: require implementations to stringify "</script>" as
> "<\uxxxxscript>".
>
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
>
> Backward compatible: yes, unless binary equality is required and this
> string is used.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20160928/94e6af10/attachment.html>


More information about the es-discuss mailing list