diff options
| author | Jean Boussier <[email protected]> | 2023-04-13 19:22:29 +0200 |
|---|---|---|
| committer | Hiroshi SHIBATA <[email protected]> | 2023-12-01 16:47:06 +0900 |
| commit | 0dfeb172968cdaefca2ab828c94d3e5f44d91f8f (patch) | |
| tree | 2850662a485dd3f42068bf14ce4618d77b4b13d6 /ext/json/generator/generator.h | |
| parent | 698cb8406298ff289ba7abadf34abc3d09a07ef0 (diff) | |
Rename escape_slash in script_safe and also escape E+2028 and E+2029
It is rather common to directly interpolate JSON string inside
<script> tags in HTML as to provide configuration or parameters to a
script.
However this may lead to XSS vulnerabilities, to prevent that 3
characters need to be escaped:
- `/` (forward slash)
- `U+2028` (LINE SEPARATOR)
- `U+2029` (PARAGRAPH SEPARATOR)
The forward slash need to be escaped to prevent closing the script
tag early, and the other two are valid JSON but invalid Javascript
and can be used to break JS parsing.
Given that the intent of escaping forward slash is the same than escaping
U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash`
option.
Diffstat (limited to 'ext/json/generator/generator.h')
| -rw-r--r-- | ext/json/generator/generator.h | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/ext/json/generator/generator.h b/ext/json/generator/generator.h index 3ebd622554..5e6a228040 100644 --- a/ext/json/generator/generator.h +++ b/ext/json/generator/generator.h @@ -49,8 +49,8 @@ static const UTF32 halfMask = 0x3FFUL; static unsigned char isLegalUTF8(const UTF8 *source, unsigned long length); static void unicode_escape(char *buf, UTF16 character); static void unicode_escape_to_buffer(FBuffer *buffer, char buf[6], UTF16 character); -static void convert_UTF8_to_JSON_ASCII(FBuffer *buffer, VALUE string, char escape_slash); -static void convert_UTF8_to_JSON(FBuffer *buffer, VALUE string, char escape_slash); +static void convert_UTF8_to_JSON_ASCII(FBuffer *buffer, VALUE string, char script_safe); +static void convert_UTF8_to_JSON(FBuffer *buffer, VALUE string, char script_safe); static char *fstrndup(const char *ptr, unsigned long len); /* ruby api and some helpers */ @@ -72,7 +72,7 @@ typedef struct JSON_Generator_StateStruct { long max_nesting; char allow_nan; char ascii_only; - char escape_slash; + char script_safe; long depth; long buffer_initial_length; } JSON_Generator_State; @@ -151,8 +151,8 @@ static VALUE cState_allow_nan_p(VALUE self); static VALUE cState_ascii_only_p(VALUE self); static VALUE cState_depth(VALUE self); static VALUE cState_depth_set(VALUE self, VALUE depth); -static VALUE cState_escape_slash(VALUE self); -static VALUE cState_escape_slash_set(VALUE self, VALUE depth); +static VALUE cState_script_safe(VALUE self); +static VALUE cState_script_safe_set(VALUE self, VALUE depth); static FBuffer *cState_prepare_buffer(VALUE self); #ifndef ZALLOC #define ZALLOC(type) ((type *)ruby_zalloc(sizeof(type))) |