Issue 18290: json encoder does not support JSONP/JavaScript safe escaping (original) (raw)
Created on 2013-06-24 04:46 by ztane, last changed 2022-04-11 14:57 by admin. This issue is now closed.
| Messages (8) | ||
|---|---|---|
| msg191742 - (view) | Author: Antti Haapala (ztane) * | Date: 2013-06-24 04:46 |
| JSON is not a strict superset of JavaScript (http://timelessrepo.com/json-isnt-a-javascript-subset). However, certain web technologies use JSON values as a part of JavaScript code (JSONP, inline tag, no < cannot be escaped; however only the string '' (or sometimes </) is interpreted as the "end of script". Thus a non-trivial XSS attack can be made by having a JSON stream {"key":""} embedded in inline javascript. The only correct way to escape such content in inline html is to escape all / into \/. The \u2028, \u2029 problem is more subtle and can break not only inline javascript but also JSONP. Thus there an incorrect value injected by a malicious or unwitting user to the database might break the entire protocol. The current solution is to re-escape everything that comes out of JSON encoder. The best solution for python would be to make these 3 escapes default in the python json module (notice again that the current set of default escapes when ensure_ascii=False is chosen arbitrarily), or if not default, then at least they could be enabled by a switch. Furthermore, documentation should be updated appropriately, to explain why such escape is needed. | ||
| msg191744 - (view) | Author: Antti Haapala (ztane) * | Date: 2013-06-24 04:57 |
| My mistake in writing, json ofc does specify that "control characters" be escaped. Then, it needs to be pointed out that JSON module DOES not currently escape \u007f-\u009f as it maybe strictly should >>> unicodedata.category('\u007f') 'Cc' >>> json.dumps({'a': '\u007f'}, ensure_ascii=False) '{"a": "\x7f"}' | ||
| msg194537 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) *  |
Date: 2013-08-06 12:29 |
| I think this is not JSON issue. If you need escaping of some domain-specific characters, do it youself. I.e. json.dump(...).replace('\u2028', r'\u2028').replace('\u2029', r'\u2029').replace('</', r'\u003c\u002f') | ||
| msg194581 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2013-08-06 21:25 |
| On the one hand, supporting JSONP is a valid request for the json module. On the other hand, according to Wikipedia, "There have been some criticisms raised about JSONP. Cross-origin resource sharing (CORS) is a more recent method of getting data from a server in a different domain, which addresses some of those criticisms". Therefore, supporting JSONP might not really be worth it. | ||
| msg194648 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * |
Date: 2013-08-08 07:27 |
| Embedding JSON inside |