simonp at opera.com
Thu Sep 29 10:17:43 UTC 2016
On Wed, 28 Sep 2016 19:06:31 +0200, Michał Wadas <michalwadas at gmail.com>
> Idea: require implementations to stringify "</script>" as
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
> Backward compatible: yes, unless binary equality is required and this
> string is used.
You would also need to escape "<!--" and "<script" for HTML. See
More information about the es-discuss