Regarding JSON inside <script> tag and HTML5 parser #605

wh0 opened this Issue Oct 3, 2012 · 0 comments


2 participants

wh0 commented Oct 3, 2012

A JSON string in an HTML <script> tag may cause the parser to enter the script data double escaped state, in which </script> would not return the parser to the data state as expected.


<!doctype html>
<script>alert({{ v|tojson|safe }});</script>

return render_template('sample.html', v='<!--<script>')

@mitsuhiko mitsuhiko closed this in c4f2075 Oct 7, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment