mirror of
https://github.com/golang/go
synced 2024-10-04 01:31:25 -06:00
json: escape < and > in any JSON string.
Angle brackets can trigger some browser sniffers, causing some forms of JSON output to be interpreted as HTML. Escaping angle brackets closes that security hole. R=rsc CC=golang-dev https://golang.org/cl/4701047
This commit is contained in:
parent
fc1f0bd5e9
commit
cbad580e9c
@ -208,6 +208,18 @@ func TestUnmarshalPtrPtr(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestEscape(t *testing.T) {
|
||||||
|
const input = `"foobar"<html>`
|
||||||
|
const expected = `"\"foobar\"\u003chtml\u003e"`
|
||||||
|
b, err := Marshal(input)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Marshal error: %v", err)
|
||||||
|
}
|
||||||
|
if s := string(b); s != expected {
|
||||||
|
t.Errorf("Encoding of [%s] was [%s], want [%s]", input, s, expected)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestHTMLEscape(t *testing.T) {
|
func TestHTMLEscape(t *testing.T) {
|
||||||
b, err := MarshalForHTML("foobarbaz<>&quux")
|
b, err := MarshalForHTML("foobarbaz<>&quux")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -337,7 +337,7 @@ func (e *encodeState) string(s string) {
|
|||||||
start := 0
|
start := 0
|
||||||
for i := 0; i < len(s); {
|
for i := 0; i < len(s); {
|
||||||
if b := s[i]; b < utf8.RuneSelf {
|
if b := s[i]; b < utf8.RuneSelf {
|
||||||
if 0x20 <= b && b != '\\' && b != '"' {
|
if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' {
|
||||||
i++
|
i++
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -355,6 +355,10 @@ func (e *encodeState) string(s string) {
|
|||||||
e.WriteByte('\\')
|
e.WriteByte('\\')
|
||||||
e.WriteByte('r')
|
e.WriteByte('r')
|
||||||
default:
|
default:
|
||||||
|
// This encodes bytes < 0x20 except for \n and \r,
|
||||||
|
// as well as < and >. The latter are escaped because they
|
||||||
|
// can lead to security holes when user-controlled strings
|
||||||
|
// are rendered into JSON and served to some browsers.
|
||||||
e.WriteString(`\u00`)
|
e.WriteString(`\u00`)
|
||||||
e.WriteByte(hex[b>>4])
|
e.WriteByte(hex[b>>4])
|
||||||
e.WriteByte(hex[b&0xF])
|
e.WriteByte(hex[b&0xF])
|
||||||
|
Loading…
Reference in New Issue
Block a user