Closed kaaboaye closed 4 months ago
If json contains the following string <!-- anything here <script> it will comment out the rest of HTML braking the website.
<!-- anything here <script>
Adding the :html_safe to encode/2 doesn't escape this sequence.
:html_safe
encode/2
<script> const a = "<!-- <script>" </script> <h1>This is commented out</h1>
Because of the HTML Spec https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
Fixed here https://github.com/michalmuskala/jason/commit/188e66b40d99ccb43cd4a67f142f083640e62ed7
If json contains the following string
<!-- anything here <script>it will comment out the rest of HTML braking the website.The problem?
Adding the
:html_safetoencode/2doesn't escape this sequence.Reproduction
Why is that?
Because of the HTML Spec https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
Fix in Jason
Fixed here https://github.com/michalmuskala/jason/commit/188e66b40d99ccb43cd4a67f142f083640e62ed7