Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename escape_slash in script_safe and also escape E+2028 and E+2029 #525

Merged
merged 1 commit into from
Dec 1, 2023

Commits on Apr 19, 2023

  1. Rename escape_slash in script_safe and also escape E+2028 and E+2029

    It is rather common to directly interpolate JSON string inside
    <script> tags in HTML as to provide configuration or parameters to a
    script.
    
    However this may lead to XSS vulnerabilities, to prevent that 3
    characters need to be escaped:
    
      - `/` (forward slash)
      - `U+2028` (LINE SEPARATOR)
      - `U+2029` (PARAGRAPH SEPARATOR)
    
    The forward slash need to be escaped to prevent closing the script
    tag early, and the other two are valid JSON but invalid Javascript
    and can be used to break JS parsing.
    
    Given that the intent of escaping forward slash is the same than escaping
    U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash`
    option.
    byroot committed Apr 19, 2023
    Configuration menu
    Copy the full SHA
    29e5ccf View commit details
    Browse the repository at this point in the history