Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Regarding JSON inside <script> tag and HTML5 parser #605

Closed
wh0 opened this Issue · 0 comments

2 participants

@wh0
wh0 commented

A JSON string in an HTML <script> tag may cause the parser to enter the script data double escaped state, in which </script> would not return the parser to the data state as expected.

sample.html:

<!doctype html>
<script>alert({{ v|tojson|safe }});</script>

sample.py:

return render_template('sample.html', v='<!--<script>')
@mitsuhiko mitsuhiko closed this in c4f2075
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.