That's awful. As you say, it's an antipattern, no further effort should be spent on this. JSON produced by JavaScript has far more general uses than slapping directly into a script tag unencoded, so no-one else should have to see this. Also, there are many other producers of JSON than JavaScript.
Instead, use XHTML and CDATA (which has a straightforward encoding mechanism that doesn't ruin the parseability of the code or affect it in any way) if you really want to pull stunts like this. Alex On Wednesday, 28 September 2016, Michał Wadas <[email protected]> wrote: > Idea: require implementations to stringify "</script>" as > "<\uxxxxscript>". > > Benefits: remove XSS vulnerability when injecting JSON as content of > <script> tag (quite common antipattern). > > Backward compatible: yes, unless binary equality is required and this > string is used. >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
