Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Embedding JSON objects in script tags

Tags:

EDIT: For future reference, I'm using non-xhtml content type definition <!html>

I'm creating a website using Django, and I'm trying to embed arbitrary json data in my pages to be used by client-side javascript code.

Let's say my json object is {"foo": "</script>"}. If I embed this directly,

<script type='text/javascript'>JSON={"foo": "</script>"};</script>

The first closes the json object. (also, it will make the site vulnerable to XSS, since this json object will be dynamically generated).

If I use django's HTML escape function, the resulting output is:

<script type='text/javascript'>JSON={&quot;foo&quot;: &quot;&lt;/script&gt;&quot;};</script>

and the browser cannot interpret the <script> tag.

The question I have here is,

  1. Which characters am i suppose to escape / not escape in this situation?
  2. Is there automated way to perform this in Python / django?
like image 540
Jeeyoung Kim Avatar asked Nov 14 '10 06:11

Jeeyoung Kim

People also ask

Can JSON be embedded in XML?

For a JSON attribute of a simple type, it converts the value to text data within the element. Embedded JSON objects are converted to embedded XML elements.

Can JSON be used in HTML?

JSON can very easily be translated into JavaScript. JavaScript can be used to make HTML in your web pages.

Can you put HTML in script tag?

The <script> tag can be placed in the <head> section of your HTML or in the <body> section, depending on when you want the JavaScript to load.

2 Answers

If you are using XHTML, you would be able to use entity references (&lt;, &gt;, &amp;) to escape any string you want within <script>. You would not want to use a <![CDATA[...]]> section, because the sequence "]]>" can't be expressed within a CDATA section, and you would have to change the script to express ]]>.

But you're probably not using XHTML. If you're using regular HTML, the <script> tag acts somewhat like a CDATA section in XML, except that it has even more pitfalls. It ends with </script>. There are also arcane rules to allow <!-- document.write("<script>...</script>") --> (the comments and <script> opening tag must both be present for </script> to be passed through). The compromise that the HTML5 editors adopted for future browsers is described in HTML 5 tokenization and CDATA Escapes

I think the takeaway is that you must prevent </script> from occurring in your JSON, and to be safe you should also avoid <script>, <!--, and --> to prevent runaway comments or script tags. I think it's easiest just to replace < with \u003c and --> with --\>

like image 106
yonran Avatar answered Oct 17 '22 02:10

yonran

I tried backslash escaping the forward slash and that seems to work:

<script type='text/javascript'>JSON={"foo": "<\/script>"};</script>

have you tried that?

On a side note, I am surprised that the embedded </script> tag in a string breaks the javascript. Couldn't believe it at first but tested in Chrome and Firefox.

like image 30
slebetman Avatar answered Oct 17 '22 03:10

slebetman
Sign in to Comment

Related questions

Activity idle timeout for HistoryRecord?
Huge Django Session table, normal behaviour or bug?
Execution point between prepare-package and package in Maven build-process
Finding repeating patterns/images in images
Auto import for Xcode
How compile time recursion works?
Split a string to a string of valid words using Dynamic Programming
Is there any reason to make POCOs into Model objects?
How to correctly reference a function in an anonymous namespace
Django - How to make a form for a model's foreign keys?
is i=f(); defined when f modifies i?
Ruby: creating a sandboxed eval?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!