11👍
If you are using XHTML, you would be able to use entity references (<, >, &) to escape any string you want within <script>. You would not want to use a <![CDATA[...]]> section, because the sequence “]]>” can’t be expressed within a CDATA section, and you would have to change the script to express ]]>.
But you’re probably not using XHTML. If you’re using regular HTML, the <script> tag acts somewhat like a CDATA section in XML, except that it has even more pitfalls. It ends with </script>. There are also arcane rules to allow <!-- document.write("<script>...</script>") --> (the comments and <script> opening tag must both be present for </script> to be passed through). The compromise that the HTML5 editors adopted for future browsers is described in HTML 5 tokenization and CDATA Escapes
I think the takeaway is that you must prevent </script> from occurring in your JSON, and to be safe you should also avoid <script>, <!--, and --> to prevent runaway comments or script tags. I think it’s easiest just to replace < with \u003c and --> with --\>
6👍
I tried backslash escaping the forward slash and that seems to work:
<script type='text/javascript'>JSON={"foo": "<\/script>"};</script>
have you tried that?
On a side note, I am surprised that the embedded </script> tag in a string breaks the javascript. Couldn’t believe it at first but tested in Chrome and Firefox.
- [Django]-Why won't Django use IPython?
- [Django]-Images from ImageField in Django don't load in template
- [Django]-Pytest.mark.parametrize with django.test.SimpleTestCase
0👍
I would do something like this:
<script type='text/javascript'>JSON={"foo": "</" + "script>"};</script>
- [Django]-Get object by field other than primary key
- [Django]-How to format time in django-rest-framework's serializer?
- [Django]-How do I remove Label text in Django generated form?
0👍
For this case in python, I have opened a bug in the bug tracker. However the rules are indeed complicated, as <!-- and <script> play together in quite evil ways even in the adopted html5 parsing rules. BTW, “>” is not a valid JSON escape, so it would better be replaced with “\u003E”, thus the absolutely safe escaping should be to escape \u003C and \u003E AND a couple other evil characters mentioned in the python bug…
- [Django]-Suddenly when running tests I get "TypeError: 'NoneType' object is not iterable
- [Django]-How to test auto_now_add in django
- [Django]-Removing 'Sites' from Django admin page