Actually CDATA suffer the same issue - for string "]]>". Mike Samuel has a very strong point here.
And by saying "it's antipattern, don't do this" we will not make old vulnerable code go away. And we have a very good way to stop people from shooting their own feet - for free. On 28 Sep 2016 8:31 p.m., "Alexander Jones" <[email protected]> wrote: That's awful. As you say, it's an antipattern, no further effort should be spent on this. JSON produced by JavaScript has far more general uses than slapping directly into a script tag unencoded, so no-one else should have to see this. Also, there are many other producers of JSON than JavaScript. Instead, use XHTML and CDATA (which has a straightforward encoding mechanism that doesn't ruin the parseability of the code or affect it in any way) if you really want to pull stunts like this. Alex On Wednesday, 28 September 2016, Michał Wadas <[email protected]> wrote: > Idea: require implementations to stringify "</script>" as > "<\uxxxxscript>". > > Benefits: remove XSS vulnerability when injecting JSON as content of > <script> tag (quite common antipattern). > > Backward compatible: yes, unless binary equality is required and this > string is used. >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
