2011/4/12 Oliver Hunt <[email protected]>:
> It has recently been brought to my attention that a particular use case of
> JSON serialisation is to include JSON serialised content directly into an
> HTML file (inside a script tag). In this case in addition to the threat of
> strings being terminated by a double quote there's also the potential for the
> string "</script>" to terminate the JS source.
If the output can contain a CDATA section end (]]>) or escaping text
span end (-->) then it can also cause premature termination of JS
source.
E.g. in the HTML
<script>//<!--
var myJson = { "foo": "-->" }
document.write('<script>..." + myJson + "...</script>");
...
//--></script>
or in the XHTML
<script><![[CDATA[
var myJson = <JSON goes here>
document.write('<script>' + myJSON + '</script>')
// Comment with <script>
var myOtherJsonContainingCdataOpen = <more json here>;
]]></script>
> The request i received was to escape the slash character, which is allowed as
> input but per ES5 spec we aren't allowed to emit.
>
> I will say that I don't really like this idea as it leads to "why not escape
> #?", etc but I thought I should bring this up on the list and see what others
> think.
One answer to the "why not escape #?" is because it isn't explicitly
called out in the JSON spec.
In http://www.ietf.org/rfc/rfc4627.txt JSON allows escaping of '/',
'\\', '"', and a few control characters. Other codepoints have to be
raw or numerically escaped.
char = unescaped /
escape (
%x22 / ; " quotation mark U+0022
%x5C / ; \ reverse solidus U+005C
%x2F / ; / solidus U+002F
%x62 / ; b backspace U+0008
%x66 / ; f form feed U+000C
%x6E / ; n line feed U+000A
%x72 / ; r carriage return U+000D
%x74 / ; t tab U+0009
%x75 4HEXDIG ) ; uXXXX U+XXXX
> --Oliver
>
> _______________________________________________
> es-discuss mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/es-discuss
>
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
