JSON.stringify </script>

Kris Siegel krissiegel at gmail.com
Wed Sep 28 20:10:12 UTC 2016


ECMAScript, while highly used in web browsers, should really not care about
HTML constructs. That's where WHATWG and W3C come in. I suggest this type
of feature should come from one of those groups, not ECMA.

On Wed, Sep 28, 2016 at 11:54 AM, Alexander Jones <alex at weej.com> wrote:

> Hi Michał
>
> Embedding a JSON literal into HTML involves first encoding to JSON then
> encoding that into HTML. Two stages which must not be confused. The
> 'encoding into HTML' part is best done in XHTML with CDATA, and the
> encoding method is taken care of by whichever XML-generating library you're
> using. If you hint it to use CDATA for such a text node, or if for any
> other reason it chooses to use CDATA, rather than merely converting every
> `<` to `<`, etc., then it will (or should) "escape" `]]>` as
> `]]]]><![CDATA[>` or whatever equivalent. See https://en.wikipedia.org/
> wiki/CDATA#Nesting for more info. Crucially, this works for encoding ANY
> text data into a text node in an XML document, not just JSON.
>
> Having the specified JSON algorithm in ECMAScript deal with concerns of
> embedding into legacy, non XML-based HTML (oh yes, I totally went there! ;)
> ) is a classic layer violation, which I would guarantee offends 99 out of
> 100 experienced programmers' sensibilities. :)
>
> Aside, I'll repeat again that this would be largely ineffective - a lot of
> JSON that might be dumbly pasted into a text stream of HTML would be
> generated by implementations other than that specified by ECMAScript.
>
> Hope this clears it up
>
> Alex
>
> On 28 September 2016 at 19:41, Michał Wadas <michalwadas at gmail.com> wrote:
>
>> Actually CDATA suffer the same issue - for string "]]>". Mike Samuel has
>> a very strong point here.
>>
>> And by saying "it's antipattern, don't do this" we will not make old
>> vulnerable code go away. And we have a very good way to stop people from
>> shooting their own feet - for free.
>>
>> On 28 Sep 2016 8:31 p.m., "Alexander Jones" <alex at weej.com> wrote:
>>
>> That's awful. As you say, it's an antipattern, no further effort should
>> be spent on this. JSON produced by JavaScript has far more general uses
>> than slapping directly into a script tag unencoded, so no-one else should
>> have to see this. Also, there are many other producers of JSON than
>> JavaScript.
>>
>> Instead, use XHTML and CDATA (which has a straightforward encoding
>> mechanism that doesn't ruin the parseability of the code or affect it in
>> any way) if you really want to pull stunts like this.
>>
>> Alex
>>
>>
>> On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com>
>> wrote:
>>
>>> Idea: require implementations to stringify "</script>" as
>>> "<\uxxxxscript>".
>>>
>>> Benefits: remove XSS vulnerability when injecting JSON as content of
>>> <script> tag (quite common antipattern).
>>>
>>> Backward compatible: yes, unless binary equality is required and this
>>> string is used.
>>>
>>
>>
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20160928/99cfde5a/attachment.html>


More information about the es-discuss mailing list