1
0
mirror of https://github.com/golang/go synced 2024-11-21 20:34:40 -07:00

json: escape < and > in any JSON string.

Angle brackets can trigger some browser sniffers, causing
some forms of JSON output to be interpreted as HTML.
Escaping angle brackets closes that security hole.

R=rsc
CC=golang-dev
https://golang.org/cl/4701047
This commit is contained in:
David Symonds 2011-07-14 13:30:08 +10:00
parent fc1f0bd5e9
commit cbad580e9c
2 changed files with 17 additions and 1 deletions

View File

@ -208,6 +208,18 @@ func TestUnmarshalPtrPtr(t *testing.T) {
}
}
func TestEscape(t *testing.T) {
const input = `"foobar"<html>`
const expected = `"\"foobar\"\u003chtml\u003e"`
b, err := Marshal(input)
if err != nil {
t.Fatalf("Marshal error: %v", err)
}
if s := string(b); s != expected {
t.Errorf("Encoding of [%s] was [%s], want [%s]", input, s, expected)
}
}
func TestHTMLEscape(t *testing.T) {
b, err := MarshalForHTML("foobarbaz<>&quux")
if err != nil {

View File

@ -337,7 +337,7 @@ func (e *encodeState) string(s string) {
start := 0
for i := 0; i < len(s); {
if b := s[i]; b < utf8.RuneSelf {
if 0x20 <= b && b != '\\' && b != '"' {
if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' {
i++
continue
}
@ -355,6 +355,10 @@ func (e *encodeState) string(s string) {
e.WriteByte('\\')
e.WriteByte('r')
default:
// This encodes bytes < 0x20 except for \n and \r,
// as well as < and >. The latter are escaped because they
// can lead to security holes when user-controlled strings
// are rendered into JSON and served to some browsers.
e.WriteString(`\u00`)
e.WriteByte(hex[b>>4])
e.WriteByte(hex[b&0xF])