JSON.stringify </script>

Michał Wadas michalwadas at gmail.com
Wed Sep 28 18:41:22 UTC 2016


Actually CDATA suffer the same issue - for string "]]>". Mike Samuel has a
very strong point here.

And by saying "it's antipattern, don't do this" we will not make old
vulnerable code go away. And we have a very good way to stop people from
shooting their own feet - for free.

On 28 Sep 2016 8:31 p.m., "Alexander Jones" <alex at weej.com> wrote:

That's awful. As you say, it's an antipattern, no further effort should be
spent on this. JSON produced by JavaScript has far more general uses than
slapping directly into a script tag unencoded, so no-one else should have
to see this. Also, there are many other producers of JSON than JavaScript.

Instead, use XHTML and CDATA (which has a straightforward encoding
mechanism that doesn't ruin the parseability of the code or affect it in
any way) if you really want to pull stunts like this.

Alex


On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com> wrote:

> Idea: require implementations to stringify "</script>" as
> "<\uxxxxscript>".
>
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
>
> Backward compatible: yes, unless binary equality is required and this
> string is used.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20160928/000fba2f/attachment.html>


More information about the es-discuss mailing list