Skip to content

Loading…

Fix issue #81: Escape < and > characters in JSON strings #82

Merged
merged 1 commit into from

2 participants

@basvandijk
Collaborator

This would fix issue #81.

@bos bos merged commit fa2ff40 into bos:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 4, 2012
  1. @basvandijk
Showing with 12 additions and 2 deletions.
  1. +12 −2 Data/Aeson/Encode.hs
View
14 Data/Aeson/Encode.hs
@@ -62,15 +62,25 @@ string :: T.Text -> Builder
string s = {-# SCC "string" #-} singleton '"' <> quote s <> singleton '"'
where
quote q = case T.uncons t of
- Nothing -> fromText h
+ Nothing -> fromText h
Just (!c,t') -> fromText h <> escape c <> quote t'
where (h,t) = {-# SCC "break" #-} T.break isEscape q
- isEscape c = c == '\"' || c == '\\' || c < '\x20'
+ isEscape c = c == '\"' ||
+ c == '\\' ||
+ c == '<' ||
+ c == '>' ||
+ c < '\x20'
escape '\"' = "\\\""
escape '\\' = "\\\\"
escape '\n' = "\\n"
escape '\r' = "\\r"
escape '\t' = "\\t"
+
+ -- The following prevents untrusted JSON strings containing </script> or -->
+ -- from causing an XSS vulnerability:
+ escape '<' = "\\u003c"
+ escape '>' = "\\u003e"
+
escape c
| c < '\x20' = fromString $ "\\u" ++ replicate (4 - length h) '0' ++ h
| otherwise = singleton c
Something went wrong with that request. Please try again.