ECMAScript, while highly used in web browsers, should really not care about HTML constructs. That's where WHATWG and W3C come in. I suggest this type of feature should come from one of those groups, not ECMA.
On Wed, Sep 28, 2016 at 11:54 AM, Alexander Jones <[email protected]> wrote: > Hi Michał > > Embedding a JSON literal into HTML involves first encoding to JSON then > encoding that into HTML. Two stages which must not be confused. The > 'encoding into HTML' part is best done in XHTML with CDATA, and the > encoding method is taken care of by whichever XML-generating library you're > using. If you hint it to use CDATA for such a text node, or if for any > other reason it chooses to use CDATA, rather than merely converting every > `<` to `<`, etc., then it will (or should) "escape" `]]>` as > `]]]]><![CDATA[>` or whatever equivalent. See https://en.wikipedia.org/ > wiki/CDATA#Nesting for more info. Crucially, this works for encoding ANY > text data into a text node in an XML document, not just JSON. > > Having the specified JSON algorithm in ECMAScript deal with concerns of > embedding into legacy, non XML-based HTML (oh yes, I totally went there! ;) > ) is a classic layer violation, which I would guarantee offends 99 out of > 100 experienced programmers' sensibilities. :) > > Aside, I'll repeat again that this would be largely ineffective - a lot of > JSON that might be dumbly pasted into a text stream of HTML would be > generated by implementations other than that specified by ECMAScript. > > Hope this clears it up > > Alex > > On 28 September 2016 at 19:41, Michał Wadas <[email protected]> wrote: > >> Actually CDATA suffer the same issue - for string "]]>". Mike Samuel has >> a very strong point here. >> >> And by saying "it's antipattern, don't do this" we will not make old >> vulnerable code go away. And we have a very good way to stop people from >> shooting their own feet - for free. >> >> On 28 Sep 2016 8:31 p.m., "Alexander Jones" <[email protected]> wrote: >> >> That's awful. As you say, it's an antipattern, no further effort should >> be spent on this. JSON produced by JavaScript has far more general uses >> than slapping directly into a script tag unencoded, so no-one else should >> have to see this. Also, there are many other producers of JSON than >> JavaScript. >> >> Instead, use XHTML and CDATA (which has a straightforward encoding >> mechanism that doesn't ruin the parseability of the code or affect it in >> any way) if you really want to pull stunts like this. >> >> Alex >> >> >> On Wednesday, 28 September 2016, Michał Wadas <[email protected]> >> wrote: >> >>> Idea: require implementations to stringify "</script>" as >>> "<\uxxxxscript>". >>> >>> Benefits: remove XSS vulnerability when injecting JSON as content of >>> <script> tag (quite common antipattern). >>> >>> Backward compatible: yes, unless binary equality is required and this >>> string is used. >>> >> >> > > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss > >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
