I agree it's subideal which is why I work to address problems like this in template systems but ad-hoc string concatenation happens and embeddable sub-languages provide defense-in-depth without sacrificing correctness.
CDATA sections solve no problems because they cannot contain any string that has "]]>" as a substring so you still have to s/\]\]>/]]>]]<!CDATA>/g. On Sep 28, 2016 2:32 PM, "Alexander Jones" <[email protected]> wrote: > That's awful. As you say, it's an antipattern, no further effort should be > spent on this. JSON produced by JavaScript has far more general uses than > slapping directly into a script tag unencoded, so no-one else should have > to see this. Also, there are many other producers of JSON than JavaScript. > > Instead, use XHTML and CDATA (which has a straightforward encoding > mechanism that doesn't ruin the parseability of the code or affect it in > any way) if you really want to pull stunts like this. > > Alex > > On Wednesday, 28 September 2016, Michał Wadas <[email protected]> > wrote: > >> Idea: require implementations to stringify "</script>" as >> "<\uxxxxscript>". >> >> Benefits: remove XSS vulnerability when injecting JSON as content of >> <script> tag (quite common antipattern). >> >> Backward compatible: yes, unless binary equality is required and this >> string is used. >> > > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss > >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
