Closed kaaboaye closed 4 years ago
If json contains the following string <!-- anything here <script> it will comment out the rest of HTML braking the website.
<!-- anything here <script>
Adding the :html_safe to encode/2 doesn't escape this sequence.
:html_safe
encode/2
https://hexdocs.pm/jason/Jason.html#encode/2
<script> const a = "<!-- <script>" </script> <h1>This is commented out</h1>
Because of the HTML Spec https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
If json contains the following string
<!-- anything here <script>
it will comment out the rest of HTML braking the website.The problem?
Adding the
:html_safe
toencode/2
doesn't escape this sequence.https://hexdocs.pm/jason/Jason.html#encode/2
Reproduction
Why is that?
Because of the HTML Spec https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements