Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

:html_safe is NOT html safe #194

Closed
kaaboaye opened this issue May 4, 2020 · 0 comments
Closed

:html_safe is NOT html safe #194

kaaboaye opened this issue May 4, 2020 · 0 comments

Comments

@kaaboaye
Copy link

kaaboaye commented May 4, 2020

If json contains the following string <!-- anything here <script> it will comment out the rest of HTML braking the website.

The problem?

Adding the :html_safe to encode/2 doesn't escape this sequence.

Reproduction

<script>
const a = "<!-- <script>"
</script>
<h1>This is commented out</h1>

Why is that?

Because of the HTML Spec https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements

Fix in Jason

Fixed here
michalmuskala/jason@188e66b
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
b6b61b5 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Added `Date.Range` encoding
* Allow `:as` decode option to be a function
* Added a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improved performance

Breaking Changes:

* Removed deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
cdfa922 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
959170e 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
e708cd2 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
2be70de 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
47f0214 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
8df24bf 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
e1f07d7 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
devinus added a commit that referenced this issue Jun 9, 2024
@devinus
Poison 6
de73e04 
Features:

* Support Erlang 27 and Elixir 1.17
* Reintroduce `Poison.encode_to_iodata!/1` for Phoenix compatibility
* Make `:html_safe` encode option follow OWASP recommended HTML
  escaping
* Add `Date.Range` encoding
* Allow `:as` decode option to be a function
* Add a CHANGELOG

Bug Fixes:

* Stop double decoding structs
* Fix various typespecs
* Correctly encode some UTF-8 surrogate pairs

Performance Improvements:

* Significantly improve performance

Breaking Changes:

* Remove deprecated `HashSet` encoding
* Minimum supported versions are now Erlang 24 and Elixir 1.12

Closes #105, #172, #191, #194, #199, #206, #207, #214, #217, #222.
This was referenced Jun 9, 2024
Closed
Merged
@devinus devinus closed this as completed Jun 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devinus @kaaboaye