JSON.stringify </script>

Alexander Jones alex at weej.com
Thu Sep 29 00:03:21 UTC 2016


They do solve the problem. You encode your entire JS *before* pasting it,
encoding `]]>` and nothing more, and the XML document's text node contains
the unadulterated text, which the JS parser also sees. It's perfect layer
isolation. Ye olde HTML can't do that because there is no escaping
mechanism for `</script>` that actually allows the JS parser to see the
text (code) content unmodified.

Viva la `<xhtml:revolución />` ;)

On Wednesday, 28 September 2016, Mike Samuel <mikesamuel at gmail.com> wrote:

> I agree it's subideal which is why I work to address problems like this in
> template systems but ad-hoc string concatenation happens and embeddable
> sub-languages provide defense-in-depth without sacrificing correctness.
>
> CDATA sections solve no problems because they cannot contain any string
> that has "]]>" as a substring so you still have to s/\]\]>/]]>]]<!CDATA>/g.
>
> On Sep 28, 2016 2:32 PM, "Alexander Jones" <alex at weej.com
> <javascript:_e(%7B%7D,'cvml','alex at weej.com');>> wrote:
>
>> That's awful. As you say, it's an antipattern, no further effort should
>> be spent on this. JSON produced by JavaScript has far more general uses
>> than slapping directly into a script tag unencoded, so no-one else should
>> have to see this. Also, there are many other producers of JSON than
>> JavaScript.
>>
>> Instead, use XHTML and CDATA (which has a straightforward encoding
>> mechanism that doesn't ruin the parseability of the code or affect it in
>> any way) if you really want to pull stunts like this.
>>
>> Alex
>>
>> On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com
>> <javascript:_e(%7B%7D,'cvml','michalwadas at gmail.com');>> wrote:
>>
>>> Idea: require implementations to stringify "</script>" as
>>> "<\uxxxxscript>".
>>>
>>> Benefits: remove XSS vulnerability when injecting JSON as content of
>>> <script> tag (quite common antipattern).
>>>
>>> Backward compatible: yes, unless binary equality is required and this
>>> string is used.
>>>
>>
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> <javascript:_e(%7B%7D,'cvml','es-discuss at mozilla.org');>
>> https://mail.mozilla.org/listinfo/es-discuss
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20160929/689fecbf/attachment-0001.html>


More information about the es-discuss mailing list