I think defining an easy way to produce embeddable JSON is a great idea, but it's not quite that simple.
https://github.com/OWASP/json-sanitizer#output captures some requirements that I came up with for embedding JSON in HTML: """ The output is well-formed JSON as defined by RFC 4627. The output satisfies these additional properties: * The output will not contain the substring (case-insensitively) "</script" so can be embedded inside an HTML script element without further encoding. * The output will not contain the substring "]]>" so can be embedded inside an XML CDATA section without further encoding. * The output is a valid Javascript expression, so can be parsed by Javascript's eval builtin (after being wrapped in parentheses) or by JSON.parse. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator). * The output contains only valid Unicode scalar values (no isolated UTF-16 surrogates) that are allowed in XML unescaped. """ These apply equally well to RFC 7159 IIUC. The latter few constraints are required to allow embedding of JSON in HTML in a foreign content context ( https://www.w3.org/TR/html5/syntax.html#cdata-sections ). Those rules are sufficient to allow embedding in HTML without breaking token boundaries in the embedding language. To preserve semantics when embedding in HTML you also need to escape '&'. To prevent exfiltration via external entities in SVG & other XML variants, you should probably also escape '%'. On Wed, Sep 28, 2016 at 10:06 AM, Michał Wadas <michalwa...@gmail.com> wrote: > Idea: require implementations to stringify "</script>" as "<\uxxxxscript>". > > Benefits: remove XSS vulnerability when injecting JSON as content of > <script> tag (quite common antipattern). > > Backward compatible: yes, unless binary equality is required and this string > is used. > > > _______________________________________________ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
