[PATCH 3 of 3] encoding: backport paranoid escaping from templatefilters.jsonescape()
Matt Mackall
mpm at selenic.com
Sat Jan 16 11:52:02 CST 2016
On Sat, 2016-01-16 at 21:33 +0900, Yuya Nishihara wrote:
> # HG changeset patch
> # User Yuya Nishihara <yuya at tcha.org>
> # Date 1451213891 -32400
> # Sun Dec 27 19:58:11 2015 +0900
> # Node ID a090fb7be0b0415289ca2b6666c5f0cd8d912496
> # Parent b3b1bef76d54a4755a1b221a36b00253eefefd9a
> encoding: backport paranoid escaping from templatefilters.jsonescape()
>
> This was introduced by 55c763926a28. It shouldn't be necessary, but it would
> prevent possible XSS vulnerabilities.
Ok, I rechecked this. For JSON included by a template directly in HTML page
source, it is definitely required. Convince yourself here:
http://escape.alf.nu/1
Strongly recommend people who are interested in this topic spend a few hours
working through this website.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list