JSON.stringify </script>

Simon Pieters simonp at opera.com
Thu Sep 29 10:17:43 UTC 2016


On Wed, 28 Sep 2016 19:06:31 +0200, Michał Wadas <michalwadas at gmail.com>  
wrote:

> Idea: require implementations to stringify "</script>" as  
> "<\uxxxxscript>".
>
> Benefits: remove XSS vulnerability when injecting JSON as content of
> <script> tag (quite common antipattern).
>
> Backward compatible: yes, unless binary equality is required and this
> string is used.

You would also need to escape "<!--" and "<script" for HTML. See  
https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements

-- 
Simon Pieters
Opera Software


More information about the es-discuss mailing list