On Wed, 28 Sep 2016 19:06:31 +0200, MichaĆ Wadas <[email protected]>
wrote:
Idea: require implementations to stringify "</script>" as
"<\uxxxxscript>".
Benefits: remove XSS vulnerability when injecting JSON as content of
<script> tag (quite common antipattern).
Backward compatible: yes, unless binary equality is required and this
string is used.
You would also need to escape "<!--" and "<script" for HTML. See
https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
--
Simon Pieters
Opera Software
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
