It has recently been brought to my attention that a particular use case of JSON serialisation is to include JSON serialised content directly into an HTML file (inside a script tag). In this case in addition to the threat of strings being terminated by a double quote there's also the potential for the string "</script>" to terminate the JS source.
The request i received was to escape the slash character, which is allowed as input but per ES5 spec we aren't allowed to emit. I will say that I don't really like this idea as it leads to "why not escape #?", etc but I thought I should bring this up on the list and see what others think. --Oliver _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
