> For reference I saw people use json_encode() to pass a string to > javascript into their page while avoiding bugs/XSS with stuff like > </script>. > > var foo = <?=json_encode($my_string)?>; > ... (yes, they maybe heared somewhere that JSON is *not* javascript, I > told 'em too).
This is not correct. JSON *is* valid JavaScript, but the other way round is not correct. Not every Javascript is JSON. So it is perfectly legal, to do this. I think, this is really cool, using json_encode() as something like "htmlspecialchars" for correctly encoding strings inside JS for security. I use it, too. To the problem with basic types: I like the way of maybe giving a option to the function. If you want to be standards conformant, you have to remove the encoding parameter (which is also there), too. JSON has to be UTF-8, if you want to be conform to the specs. But for the example above (secure encoding of JS strings with json_encode), it is perfectly legal to use another encoding (in the above case, the encoding of the HTML page). Uwe -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php