Skip to content
This repository
Browse code

don't escape solidus anymore

  • Loading branch information...
commit c972e5edad96fde64f853809640d1416d7d9c689 1 parent cd3fcd8
Bob Ippolito authored December 29, 2007

Showing 1 changed file with 10 additions and 2 deletions. Show diff stats Hide diff stats

  1. 12  src/mochijson2.erl
12  src/mochijson2.erl
@@ -143,8 +143,16 @@ json_encode_string_unicode([C | Cs], Acc) ->
143 143
     Acc1 = case C of
144 144
 	       ?Q ->
145 145
 		   [?Q, $\\ | Acc];
146  
-	       $/ ->
147  
-		   [$/, $\\ | Acc];
  146
+               %% Escaping solidus is only useful when trying to protect
  147
+               %% against "</script>" injection attacks which are only
  148
+               %% possible when JSON is inserted into a HTML document
  149
+               %% in-line. mochijson2 does not protect you from this, so
  150
+               %% if you do insert directly into HTML then you need to
  151
+               %% uncomment the following case or escape the output of encode.
  152
+               %%
  153
+	       %% $/ ->
  154
+	       %%    [$/, $\\ | Acc];
  155
+               %%
148 156
 	       $\\ ->
149 157
 		   [$\\, $\\ | Acc];
150 158
 	       $\b ->

0 notes on commit c972e5e

Please sign in to comment.
Something went wrong with that request. Please try again.