Skip Menu |

This queue is for tickets about the JSON CPAN distribution.

Report information
The Basics
Id: 103516
Status: rejected
Priority: 0/
Queue: JSON
People
Owner: Nobody in particular
Requestors: maikel [...] predikkta.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Apr 14 02:38:56 2015 maikel [...] predikkta.com - Ticket created
Subject: Escape Slashes / as in </script>
Date: Tue, 14 Apr 2015 16:38:25 +1000
To: bug-JSON [...] rt.cpan.org
From: Maikel Linke <maikel [...] predikkta.com>
Hello there, I just ran into the problem that a string contained "</script>". That string was in a data structure converted to JSON and then inserted into JavaScript embedded in HTML. And that's a problem for browsers: <html> <script> var greeting = "hello <script>kiddies</script>"; </script> </html> The browser will take the first </script> to end the HTML element and won't find valid JavaScript in there. That's why slashes can be escaped with backslashes: "<\/script>". It is valid and safe to do that in general: encode_json(["</script>"]) would become: [<\/script>] Did I overlook something or is there an option to encode slashes? Cheers, maikel
  Tue Apr 14 15:01:37 2015 SREZIC [...] cpan.org - Correspondence added
On 2015-04-14 02:38:56, maikel@predikkta.com wrote: Show quoted text
> Hello there, > > I just ran into the problem that a string contained "</script>". That > string was in a data structure converted to JSON and then inserted into > JavaScript embedded in HTML. And that's a problem for browsers: > > <html> > <script> > var greeting = "hello <script>kiddies</script>"; > </script> > </html> > > The browser will take the first </script> to end the HTML element and > won't find valid JavaScript in there. That's why slashes can be escaped > with backslashes: "<\/script>". > > It is valid and safe to do that in general: > > encode_json(["</script>"]) > > would become: > > [<\/script>] > > Did I overlook something or is there an option to encode slashes?
JSON.pm shouldn't deal with HTML escaping. This should be left to another library which knows about HTML escaping rules.
  Tue Apr 14 15:01:37 2015 The RT System itself - Status changed from 'new' to 'open'
  Mon Sep 05 09:03:43 2016 ishigaki [...] cpan.org - Correspondence added
On Wed Apr 15 04:01:37 2015, SREZIC wrote: Show quoted text
> On 2015-04-14 02:38:56, maikel@predikkta.com wrote:
> > Hello there, > > > > I just ran into the problem that a string contained "</script>". That > > string was in a data structure converted to JSON and then inserted > > into > > JavaScript embedded in HTML. And that's a problem for browsers: > > > > <html> > > <script> > > var greeting = "hello <script>kiddies</script>"; > > </script> > > </html> > > > > The browser will take the first </script> to end the HTML element and > > won't find valid JavaScript in there. That's why slashes can be > > escaped > > with backslashes: "<\/script>". > > > > It is valid and safe to do that in general: > > > > encode_json(["</script>"]) > > > > would become: > > > > [<\/script>] > > > > Did I overlook something or is there an option to encode slashes?
> > JSON.pm shouldn't deal with HTML escaping. This should be left to > another library which knows about HTML escaping rules.
As Slaven said, it's not JSON.pm's responsibility to do what you want. Don't put such a dangerous HTML snippet in a JSON, and don't pass such a dangerous JSON directly to a browser (i.e. JavaScript). You might also want to try JavaScript::Value::Escape and its friends. Marked as rejected.
  Mon Sep 05 09:03:44 2016 ishigaki [...] cpan.org - Status changed from 'open' to 'rejected'