Skip to content
This repository

Embedding JSON in HTML #81

Closed
trilogysci opened this Issue · 5 comments

4 participants

trilogysci Bas van Dijk Bryan O'Sullivan Niklas Hambüchen
trilogysci

as per discussion http://stackoverflow.com/questions/4176511/embedding-json-objects-in-script-tags
There should there be a way to encode strings into JSON such that they can be safely embedded in Html.
Escaping < to \x3c and > to \x3e would prevent strings contain or --> from causing XSS errors.

Bas van Dijk
Collaborator

I think that patch should fix it right?

trilogysci
Bas van Dijk
Collaborator

Yes, it will also handle keys:

λ> putStrLn $ encode (object ["</script>bad key" .= True])
{"\u003c/script\u003ebad key":true}
Bryan O'Sullivan
Owner
bos commented

Thanks for the report and quick fix!

Bryan O'Sullivan bos closed this
Niklas Hambüchen
nh2 commented

This is incredibly wrong.

http://www.json.org/string.gif

See also #127.

http://www.json.org says clearly:

A string is a sequence of zero or more Unicode characters, wrapped in double quotes, using backslash escapes. A character is represented as a single character string. A string is very much like a C or Java string.

While any char may be escaped, a JSON encoder looks like the wrong place to fix things that should have been done to the input.

This is like me asking to escape :: because otherwise it might be code interpreted by ghci.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.