Closed hyperknot closed 1 year ago
I'm sorry for a late reply.
In general, in JavaScript syntax "\u003C"
and "\x3C"
represent the exact same string (this is not true of JSON where only the \u
forms are supported).
I can't really reproduce the issue. If you have a way for me to reproduce, feel free to reopen.
The html_safe encoding doesn't always work. For example:
<script>
->\u003Cscript>
</script>
->\u003C\/script>
The browser parses this as:
\x3Cscript>
or\x3C/script>
The reference implementation for me is Python's Jinja2's
htmlsafe_json_dumps
: https://github.com/pallets/jinja/blob/4bbb1fb5fe5ec141d302c5baff95165887fb7338/src/jinja2/utils.py#L626The Python implementation encodes:
<script>
->\u003cscript\u003e
</script>
->\u003c/script\u003e
The browser correctly parses these.
It might be as simple as lower vs. uppercase C, but the implementation looks quite complex so I couldn't figure out the bug. I like the simplicity of the Python implementation, it's just 4 string replacement.