Rename escape_slash in script_safe and also escape E+2028 and E+2029#525
Merged
hsbt merged 1 commit intoruby:masterfrom Dec 1, 2023
Merged
Rename escape_slash in script_safe and also escape E+2028 and E+2029#525hsbt merged 1 commit intoruby:masterfrom
hsbt merged 1 commit intoruby:masterfrom
Conversation
Member
casperisfine
force-pushed
the
script-safe-option
branch
from
f0142af to
637fc52
Compare
Author
|
@hsbt done. Also sorry for including this change, I'm not sure what was going on but I couldn't get JRuby to work with that But I can revert that part, no problem. |
Author
|
Some note here. As implemented in this PR, this option make the json safe to include in Some JSON libraries do offer an "xss_safe" mode, that also escape |
It is rather common to directly interpolate JSON string inside <script> tags in HTML as to provide configuration or parameters to a script. However this may lead to XSS vulnerabilities, to prevent that 3 characters need to be escaped: - `/` (forward slash) - `U+2028` (LINE SEPARATOR) - `U+2029` (PARAGRAPH SEPARATOR) The forward slash need to be escaped to prevent closing the script tag early, and the other two are valid JSON but invalid Javascript and can be used to break JS parsing. Given that the intent of escaping forward slash is the same than escaping U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash` option.
casperisfine
force-pushed
the
script-safe-option
branch
from
637fc52 to
29e5ccf
Compare
Author
|
Ok, I reverted the Gemfile and gemspec changes because it was failing on CI. I don't know what's wrong with JRuby on my machine :/ |
matzbot
pushed a commit
to ruby/ruby
that referenced
this pull request
Dec 1, 2023
> ruby/json#525 > Rename escape_slash in script_safe and also escape E+2028 and E+2029 Co-authored-by: Jean Boussier <[email protected]> > ruby/json#454 > Remove unnecessary initialization of create_id in JSON.parse() Co-authored-by: Watson <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: #215
Fix:#214
It is rather common to directly interpolate JSON string inside <script> tags in HTML as to provide configuration or parameters to a script.
However this may lead to XSS vulnerabilities, to prevent that 3 characters need to be escaped:
/(forward slash)U+2028(LINE SEPARATOR)U+2029(PARAGRAPH SEPARATOR)The forward slash need to be escaped to prevent closing the script tag early, and the other two are valid JSON but invalid Javascript and can be used to break JS parsing.
Given that the intent of escaping forward slash is the same than escaping U+2028 and U+2029, I chose to rename and repurpose the existing
escape_slashoption.cc @hsbt @nurse
This could be used to very significantly speedup
ActiveSupport::JSON(cc @jhawthorn)