Previously, we had the punctuation characters ",-.:[\]_{} allowed in the jsObj filter. This was mostly so the built-in JSON.stringify could be used without a replacer parameter for speed. However, this potentially allows for hijinx and other nonsense. This patch reduces the allowed punctuation to just ,.-_, which is the same as for the js filter.
Previously, we had the punctuation characters
",-.:[\]_{}allowed in thejsObjfilter. This was mostly so the built-inJSON.stringifycould be used without areplacerparameter for speed. However, this potentially allows for hijinx and other nonsense. This patch reduces the allowed punctuation to just,.-_, which is the same as for thejsfilter.