Skip to content
This repository

Embedding JSON in HTML #81

trilogysci opened this Issue · 5 comments

4 participants

trilogysci Bas van Dijk Bryan O'Sullivan Niklas Hambüchen

as per discussion
There should there be a way to encode strings into JSON such that they can be safely embedded in Html.
Escaping < to \x3c and > to \x3e would prevent strings contain or --> from causing XSS errors.

Bas van Dijk

I think that patch should fix it right?

Bas van Dijk

Yes, it will also handle keys:

λ> putStrLn $ encode (object ["</script>bad key" .= True])
{"\u003c/script\u003ebad key":true}
Bryan O'Sullivan
bos commented

Thanks for the report and quick fix!

Bryan O'Sullivan bos closed this
Niklas Hambüchen
nh2 commented

This is incredibly wrong.

See also #127. says clearly:

A string is a sequence of zero or more Unicode characters, wrapped in double quotes, using backslash escapes. A character is represented as a single character string. A string is very much like a C or Java string.

While any char may be escaped, a JSON encoder looks like the wrong place to fix things that should have been done to the input.

This is like me asking to escape :: because otherwise it might be code interpreted by ghci.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.