in reply to Re^4: JSON::XS and escaping literal strings
in thread JSON::XS and escaping literal strings

sub escape_for_html {
    @_ or croak 'no json supplied';

[download]

Um, no. escaping for html isn't json specific, even if you're using it for json.

See also HTML::Entities

Replies are listed 'Best First'.
Re^6: JSON::XS and escaping literal strings
by tobyink (Canon) on Jun 08, 2018 at 09:23 UTC

    The idea of escaping things for HTML isn't specific to JSON, but this particular mechanism of escaping is.

    Firstly, in typical HTML, a slash is a safe character which won't need escaping. You'd normally need to escape "<" and "&" characters (and quotes if you're outputting data within an attribute), though often ">" is escaped for symmetry. However, as you're outputting the JSON within a <script> element, the usual escaping isn't necessary and (unless you're serving your HTML as XHTML with an XML media type) will not work. HTML::Entities will not work for this purpose. However, the combination of "</" is still dangerous so needs escaping. Escaping "/" as "\/" is specific to Javascript/JSON strings, not a general HTML thing.

    toby döt ink
[reply]
[d/l]
Re^6: JSON::XS and escaping literal strings
by Anonymous Monk on Jun 08, 2018 at 02:15 UTC

    Well, no, you can't simply HTML encode it. If you want to display JSON within an HTML document, then sure. But the goal here is to safely embed the JSON within a script tag.

    We can quibble about the naming, but the point is that the forward slash needs to be escaped in this context because it is being placed within the script tag. It has nothing to do with JSON per se.

[reply]

In Section Seekers of Perl Wisdom