JSON.stringify </script>

Simon Pieters simonp at opera.com
Thu Sep 29 10:17:43 UTC 2016

On Wed, 28 Sep 2016 19:06:31 +0200, Michał Wadas <michalwadas at gmail.com>  

> Idea: require implementations to stringify "</script>" as  
> "<\uxxxxscript>".
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
> Backward compatible: yes, unless binary equality is required and this
> string is used.

You would also need to escape "<!--" and "<script" for HTML. See  

Simon Pieters
Opera Software

More information about the es-discuss mailing list