From 188e66b40d99ccb43cd4a67f142f083640e62ed7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Muska=C5=82a?= <michal@muskala.eu>
Date: Mon, 4 May 2020 15:03:45 +0100
Subject: [PATCH] html_safe option protects against comment injection

When encoding with the html_safe option, also encode `<` into `\\u003C`
to protect against injecting `<!--` HTML comments into JSON.

Closes #109
---
 lib/encode.ex        | 2 +-
 test/encode_test.exs | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/encode.ex b/lib/encode.ex
index fc3c738..1a9d7be 100644
--- a/lib/encode.ex
+++ b/lib/encode.ex
@@ -261,7 +261,7 @@ defmodule Jason.Encode do
   slash_escapes = Enum.zip('\b\t\n\f\r\"\\', 'btnfr"\\')
   surogate_escapes = Enum.zip([0x2028, 0x2029], ["\\u2028", "\\u2029"])
   ranges = [{0x00..0x1F, :unicode} | slash_escapes]
-  html_ranges = [{0x00..0x1F, :unicode}, {?/, ?/} | slash_escapes]
+  html_ranges = [{0x00..0x1F, :unicode}, {?<, :unicode}, {?/, ?/} | slash_escapes]
   escape_jt = Codegen.jump_table(html_ranges, :error)
 
   Enum.each(escape_jt, fn
diff --git a/test/encode_test.exs b/test/encode_test.exs
index e4a0a74..ede61a6 100644
--- a/test/encode_test.exs
+++ b/test/encode_test.exs
@@ -30,8 +30,9 @@ defmodule Jason.EncoderTest do
     assert to_json("☃a", escape: :unicode_safe) == ~s("\\u2603a")
     assert to_json("𝄞b", escape: :unicode_safe) == ~s("\\uD834\\uDD1Eb")
     assert to_json("\u2028\u2029abc", escape: :javascript_safe) == ~s("\\u2028\\u2029abc")
-    assert to_json("</script>", escape: :html_safe) == ~s("<\\/script>")
-    assert to_json(~s(<script>var s = "\u2028\u2029";</script>), escape: :html_safe) == ~s("<script>var s = \\\"\\u2028\\u2029\\\";<\\/script>")
+    assert to_json("</script>", escape: :html_safe) == ~s("\\u003C\\/script>")
+    assert to_json(~s(<script>var s = "\u2028\u2029";</script>), escape: :html_safe) == ~s("\\u003Cscript>var s = \\\"\\u2028\\u2029\\\";\\u003C\\/script>")
+    assert to_json("<!-- fake comment", escape: :html_safe) == ~s("\\u003C!-- fake comment")
     assert to_json("áéíóúàèìòùâêîôûãẽĩõũ") == ~s("áéíóúàèìòùâêîôûãẽĩõũ")
     assert to_json("a\u2028a", escape: :javascript_safe) == ~s("a\\u2028a")
     assert to_json("a\u2028a", escape: :html_safe) == ~s("a\\u2028a")