mikesamuel at gmail.com
Thu Sep 29 00:34:27 UTC 2016
Without CDATA you have to encode script bodies properly. With CDATA you
have to encode script bodies properly. What problem did CDATA solve?
On Sep 28, 2016 8:03 PM, "Alexander Jones" <alex at weej.com> wrote:
> They do solve the problem. You encode your entire JS *before* pasting it,
> encoding `]]>` and nothing more, and the XML document's text node contains
> the unadulterated text, which the JS parser also sees. It's perfect layer
> isolation. Ye olde HTML can't do that because there is no escaping
> mechanism for `</script>` that actually allows the JS parser to see the
> text (code) content unmodified.
> Viva la `<xhtml:revolución />` ;)
> On Wednesday, 28 September 2016, Mike Samuel <mikesamuel at gmail.com> wrote:
>> I agree it's subideal which is why I work to address problems like this
>> in template systems but ad-hoc string concatenation happens and embeddable
>> sub-languages provide defense-in-depth without sacrificing correctness.
>> CDATA sections solve no problems because they cannot contain any string
>> that has "]]>" as a substring so you still have to s/\]\]>/]]>]]<!CDATA>/g.
>> On Sep 28, 2016 2:32 PM, "Alexander Jones" <alex at weej.com> wrote:
>>> That's awful. As you say, it's an antipattern, no further effort should
>>> than slapping directly into a script tag unencoded, so no-one else should
>>> have to see this. Also, there are many other producers of JSON than
>>> Instead, use XHTML and CDATA (which has a straightforward encoding
>>> mechanism that doesn't ruin the parseability of the code or affect it in
>>> any way) if you really want to pull stunts like this.
>>> On Wednesday, 28 September 2016, Michał Wadas <michalwadas at gmail.com>
>>>> Idea: require implementations to stringify "</script>" as
>>>> Benefits: remove XSS vulnerability when injecting JSON as content of
>>>> <script> tag (quite common antipattern).
>>>> Backward compatible: yes, unless binary equality is required and this
>>>> string is used.
>>> es-discuss mailing list
>>> es-discuss at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss