JavaScriptEncoder escapes "-" what makes dates escaped

[marwin1991]

I refer to this part of code:

if (mode == Mode.BLOCK || mode == Mode.HTML) {
            // in <script> blocks, we need to prevent the browser from seeing
            // "</anything>" and "<!--". To do so we escape "/" as "\/" and
            // escape "-" as "\-".  Both could be solved with a hex encoding
            // on "<" but we figure "<" appears often in script strings and
            // the backslash encoding is more readable than a hex encoding.
            // (And note, a backslash encoding would not prevent the exploits
            // on "</...>" and "<!--".
            // In short "</script>" is escaped as "<\/script>" and "<!--" is
            // escaped as "<!\-\-".
            _validMasks[1] &= ~((1 << '/') | (1 << '-'));
        }

The problem is with "-" becasue "-" is also used in date format f.e. 2000-01-01

I am not sure but maybe "--" should be escaped to "\--" ?

[jmanico]

cc @jeremylong any suggestions here?

[jmanico]

Why is escaping - a problem? This should be for the UI where we are just displaying data.

Can you give me a code snippet that triggered the error? I bet we can work around it.

[jeremylong]

I would be very curious about a valid use case where this would be a problem. Can an example be provided?

[marwin1991]

From what I remember whe you have a date like 2022-03-25 it is ascaped to 2022\-03\-25

[jeremylong]

What I'm asking in code - why is this a problem?

See https://jsfiddle.net/jeremy_long/we3f9dxm/1/

[jmanico]

I do not see this as an issue per Jeremys POC. Please re-open if you think otherwise!