JSON.stringify </script>

Mike Samuel mikesamuel at gmail.com
Wed Sep 28 22:33:16 UTC 2016


I agree it's subideal which is why I work to address problems like this in
template systems but ad-hoc string concatenation happens and embeddable
sub-languages provide defense-in-depth without sacrificing correctness.

CDATA sections solve no problems because they cannot contain any string
that has "]]>" as a substring so you still have to s/\]\]>/]]>]]<!CDATA>/g.

On Sep 28, 2016 2:32 PM, "Alexander Jones" <alex at weej.com> wrote:

> That's awful. As you say, it's an antipattern, no further effort should be
> spent on this. JSON produced by JavaScript has far more general uses than
> slapping directly into a script tag unencoded, so no-one else should have
> to see this. Also, there are many other producers of JSON than JavaScript.
>
> Instead, use XHTML and CDATA (which has a straightforward encoding
> mechanism that doesn't ruin the parseability of the code or affect it in
> any way) if you really want to pull stunts like this.
>
> Alex
>
> On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com>
> wrote:
>
>> Idea: require implementations to stringify "</script>" as
>> "<\uxxxxscript>".
>>
>> Benefits: remove XSS vulnerability when injecting JSON as content of
>> <script> tag (quite common antipattern).
>>
>> Backward compatible: yes, unless binary equality is required and this
>> string is used.
>>
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20160928/55cf4deb/attachment.html>


More information about the es-discuss mailing list