[PATCH] templatefilters: don't escape <> in JSON
Gregory Szorc
gregory.szorc at gmail.com
Fri Jan 16 13:24:19 CST 2015
On 1/16/15 11:20 AM, Matt Mackall wrote:
> On Thu, 2015-01-15 at 21:04 -0800, Gregory Szorc wrote:
>> # HG changeset patch
>> # User Gregory Szorc <gregory.szorc at gmail.com>
>> # Date 1421384385 28800
>> # Thu Jan 15 20:59:45 2015 -0800
>> # Node ID a07b22eefd8e4c629b739778b3ca5f3d53a8b1de
>> # Parent 049a9e3a078d7c988cb12ed456aad6ec2779ea69
>> templatefilters: don't escape <> in JSON
>>
>> 55c763926a28 added escaping of "<" and ">" in JSON. I could not find any
>> specification claiming that these are special characters that need to be
>> escaped. Furthermore, feeding these characters through both Python's and
>> SpiderMonkey's JSON serialization API revealed no escaping.
>
> The original patch was not technically paranoid because I already had an
> hgweb exploit. Discovered it somewhere while working through the first
> dozen levels of this:
>
> http://escape.alf.nu/
Well, then I argue it's a failure in hgweb to escape content from JSON
entities.
It would be a general issue if this set of escapes applied to other
encoders (like HTML). But I could find no such use.
More information about the Mercurial-devel
mailing list