Should it escape more control and unusual characters?

pugjs / js-stringify

Stringify an object so it can be safely inlined in JavaScript code

MIT License

19 stars 4 forks source link

Should it escape more control and unusual characters? #3

Closed mk-pmb closed 8 years ago

mk-pmb commented 8 years ago

I noticed that js-stringify replaces low ASCII control characters with Unicode hex escapes. Should it do similar for some others, like U+0090 device control or U+FEFF zero width no-break space? My Firefox has no problem with them, as it has no problem with U+0002, so that's probably not the criterion. How do you decide?

PS: In case it helps, here's a list of characters I consider suspicious.

TimothyGu commented 8 years ago

We escape them because they can possibly contribute to an XSS attack, when the source is directly embedded in an HTML <script> tag.

ForbesLindesay commented 8 years ago

Yes, there are two types of character we escape in this way:

Characters that are not valid in a JavaScript string (\u2028 and \u2029) - needed to prevent bugs
Characters that could have special meaning if in an inline script in HTML (<, >, /) - needed to prevent XSS

We don't escape characters that are already escaped by JSON.stringify, or don't fit into one of the two categories above.