in reply to Re: JSON::XS and escaping literal strings
in thread JSON::XS and escaping literal strings

Thanks. And yes, this is within the context of embedding the JSON within HTML.

I had wanted to include a code example, but having troubles getting it to post here. I'll try again. I'm HTML encoding a couple of < characters in the code block below, just to get it to post.

#!/usr/bin/env perl

use strict;
use warnings;
use JSON;

my $untrusted =
  q{ETAGO problem? </script><script>window.alert('POWNED!');&lt;/scrip
+t>};

my %data = (
  '@context'  => 'http://schema.org',
  '@type'     => 'BlogPosting',
  description => $untrusted,
);

my $json = JSON->new->encode(\%data);
print qq{
  <html>
    <body>
      <h1>Test</h1>
      <script type="ld+json">$json&lt;/script>
    </body>
  </html>
};

[download]

That breaks out and triggers the alert for me in Chrome.

Replies are listed 'Best First'.
Re^3: JSON::XS and escaping literal strings
by tobyink (Canon) on Jun 07, 2018 at 06:38 UTC
[reply]
[d/l]

      Yes, it does.

      I did some more research on this. I confirmed that the JSON spec does not require escaping of forward slashes.

      Some platforms escape the forward slash by default but allow you to disable that behavior (e.g., php, json-c). I assume that's for safety.

      Others expect you to escape it yourself when using it within the context of HTML. Ruby's ERB provides an escape_json method. Here's the essence of that:

      JSON_ESCAPE = { "&" => '\u0026', ">" => '\u003e', "<" => '\u003c', "\u
+2028" => '\u2028', "\u2029" => '\u2029' }
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u

      [download]

      I've decided to move to Cpanel::JSON::XS, since it has support for more of the ::PP settings. And I've written a wrapper around it for our app that sets the appropriate defaults (e.g., escape_slash). I wrote a Perl version of the escape_json() from ERB.

      {
  my %escape = (
    "&"        => '\u0026',
    ">"        => '\u003E',
    "<"        => '\u003C',
    '\x{2028}' => '\u2028',
    '\x{2029}' => '\u2029',
  );

  my $chars = join '', keys %escape;
  my $regex = qr/[$chars]/;

  sub escape_for_html {
    my $class = shift;

    @_ or croak 'no json supplied';
    my @json  = @_;

    foreach (@json) {
      s/($regex)/$escape{ $1 }/ge if defined;
    }

    return wantarray ? @json : join('', @json);
  }
}

      [download]
[reply]
[d/l]
[select]

        sub escape_for_html {
    @_ or croak 'no json supplied';

        [download]

        Um, no. escaping for html isn't json specific, even if you're using it for json.

        See also HTML::Entities

[reply]
[d/l]

In Section Seekers of Perl Wisdom