JSON::XS and escaping literal strings

abelard12 has asked for the wisdom of the Perl Monks concerning the following question:

I'm using JSON::XS to generate an ld+json object. I'm not clear on what the correct way is to escape string literal values.

JSON::PP has an escape_slash() method. JSON::XS does not. But there is also a Cpanel::JSON::XS fork that does implement it.

Cpanel::JSON::XS includes this note:

According to the JSON Grammar, the forward slash character (U+002F) "/" need to be escaped. But by default strings are encoded without escaping slashes in all perl JSON encoders.

So what is best practice? Why doesn't JSON::XS offer the escape_slash() method? Is it a false sense of security? If so, what's the safest route? To escape all of the strings in the data structure before encoding to JSON?

It seems like having an escape option as part of the JSON encoding would be less error-prone. What are y'all doing?

This page talks about the problem and recommends using jsesc with Node: https://www.man42.net/blog/2016/12/safely-escape-user-data-in-a-script-tag/

What's the equivalent of jsesc for Perl?

Thanks!

Comment on JSON::XS and escaping literal strings

Replies are listed 'Best First'.
Re: JSON::XS and escaping literal strings by choroba (Cardinal) on Jun 06, 2018 at 23:21 UTC
According to this StackOverflow discussion, forward slash can be escaped, but doesn't have to. At work, we don't escape it, as we don't include JSON into script tags. What's wrong with `s{([/!])}{\\$1}g`? ($q=q:Sq=~/;[c](.)(.)/;chr(-\|\|-\|5+lengthSq)`"S\|oS2"`map{chr \|+ord }map{substrSq`S_+\|`\|}3E\|-\|`7**2-3:)=~y+S\|`+$1,++print+eval$q,q,a, [download]	[reply] [d/l] [select]
Re^2: JSON::XS and escaping literal strings by abelard12 (Novice) on Jun 06, 2018 at 23:37 UTC
Thanks. And yes, this is within the context of embedding the JSON within HTML. I had wanted to include a code example, but having troubles getting it to post here. I'll try again. I'm HTML encoding a couple of < characters in the code block below, just to get it to post. `#!/usr/bin/env perl use strict; use warnings; use JSON; my $untrusted = q{ETAGO problem? </script><script>window.alert('POWNED!');</scrip +t>}; my %data = ( '@context' => 'http://schema.org', '@type' => 'BlogPosting', description => $untrusted, ); my $json = JSON->new->encode(\%data); print qq{ <html> <body> <h1>Test</h1> <script type="ld+json">$json</script> </body> </html> };` [download] That breaks out and triggers the alert for me in Chrome.	[reply] [d/l]
Re^3: JSON::XS and escaping literal strings by tobyink (Canon) on Jun 07, 2018 at 06:38 UTC
This works though, right? `(my $json = JSON->new->encode(\%data)) =~ s{\/}{\\\/}g;` [download] toby döt ink	[reply] [d/l]
Re^4: JSON::XS and escaping literal strings by Anonymous Monk on Jun 07, 2018 at 21:27 UTC
Re^5: JSON::XS and escaping literal strings by Anonymous Monk on Jun 08, 2018 at 01:57 UTC
Some notes below your chosen depth have not been shown here
Re: JSON::XS and escaping literal strings by Your Mother (Archbishop) on Jun 06, 2018 at 23:11 UTC
Slashes are not illegal or in need of escape in JSON. Perhaps you mean in URIs? If every single toolkit does things a certain way, it's pretty safe to assume they're in the right.	[reply]