Permalink
Browse files

don't escape solidus anymore

  • Loading branch information...
1 parent cd3fcd8 commit c972e5edad96fde64f853809640d1416d7d9c689 @etrepum etrepum committed Dec 29, 2007
Showing with 10 additions and 2 deletions.
  1. +10 −2 src/mochijson2.erl
View
@@ -143,8 +143,16 @@ json_encode_string_unicode([C | Cs], Acc) ->
Acc1 = case C of
?Q ->
[?Q, $\\ | Acc];
- $/ ->
- [$/, $\\ | Acc];
+ %% Escaping solidus is only useful when trying to protect
+ %% against "</script>" injection attacks which are only
+ %% possible when JSON is inserted into a HTML document
+ %% in-line. mochijson2 does not protect you from this, so
+ %% if you do insert directly into HTML then you need to
+ %% uncomment the following case or escape the output of encode.
+ %%
+ %% $/ ->
+ %% [$/, $\\ | Acc];
+ %%
$\\ ->
[$\\, $\\ | Acc];
$\b ->

0 comments on commit c972e5e

Please sign in to comment.