search

artiebits / svelte-seo

Optimize your website for search engines and social media with meta tags, Open Graph, and JSON-LD.
MIT License
416 stars 25 forks source link

JSON-LD stringification is non-standard #30

Closed Eyas closed 2 years ago

Eyas commented 2 years ago

Describe the bug

Same as https://github.com/google/react-schemaorg/issues/9

JSON-LD stringification doesn't properly escape </script>, etc.

To Reproduce

  1. Set JSON-LD to
{ name: "</script><script>alert('xss')</script>" }

(which is valid)

Expected behavior Characters are escaped according to spec.

Additional context

The spec: https://www.w3.org/TR/json-ld11/#restrictions-for-contents-of-json-ld-script-elements

See the parent issue in https://github.com/w3c/json-ld-syntax/issues/100 where this was created.

Example fix: https://github.com/google/react-schemaorg/commit/22e7dec0f11db974b02b623bd933f59ce518cb96

artiebits commented 2 years ago

Hi @Eyas thank you very much for reporting the issue! I will fix it asap

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

artiebits commented 2 years ago

i will close this issue for now because it doesn't even compile if I add script tag inside of that string

[!] (plugin svelte) ParseError: Unterminated string constant
dev/components/App.svelte
53:     "@type": "NewsArticle",
54:     headline: "ldJson Article Headline",
55:     name: "<script>alert('xss')</script>",
              ^