qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-17 18:04:48 -07:00
Code Releases Activity

encoding/json: revert Compact HTML escaping documentation

Browse Source 
This partly reverts CL 173417 as it incorrectly documented that Compact
performed HTML escaping and the output was safe to embed inside HTML
<script> tags. This has never been true.

Although Compact does escape U+2028 and U+2029, it doesn't escape <, >
or &. Compact is thus only performing a subset of HTML escaping and it's
output is not safe to embed inside HTML <script> tags.

A more complete fix would be for Compact to either never perform any
HTML escaping, as it was prior to CL 10883045, or to actually perform
the same HTML escaping as HTMLEscape. Neither change is likely safe
enough for go1.13.

Updates #30357
This commit is contained in:
Tom Thorogood 2019-08-02 16:54:27 +09:30 committed by Tom Thorogood
parent 2d6ee6e89a
commit aebababc92
No known key found for this signature in database
GPG Key ID: 86C63CDA416C6D2F
1 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/encoding/json/indent.go
View File

@ -8,9 +8,6 @@ import "bytes"
// Compact appends to dst the JSON-encoded src with
// insignificant space characters elided.
// Like Marshal, Compact applies HTMLEscape to any
// string literals so that the JSON will be safe to embed
// inside HTML <script> tags.
func Compact(dst *bytes.Buffer, src []byte) error {
return compact(dst, src, false)
}