[PATCH 3 of 3] encoding: backport paranoid escaping from templatefilters.jsonescape()
Yuya Nishihara
yuya at tcha.org
Sat Jan 16 23:00:48 CST 2016
On Sat, 16 Jan 2016 11:52:02 -0600, Matt Mackall wrote:
> On Sat, 2016-01-16 at 21:33 +0900, Yuya Nishihara wrote:
> > # HG changeset patch
> > # User Yuya Nishihara <yuya at tcha.org>
> > # Date 1451213891 -32400
> > # Sun Dec 27 19:58:11 2015 +0900
> > # Node ID a090fb7be0b0415289ca2b6666c5f0cd8d912496
> > # Parent b3b1bef76d54a4755a1b221a36b00253eefefd9a
> > encoding: backport paranoid escaping from templatefilters.jsonescape()
> >
> > This was introduced by 55c763926a28. It shouldn't be necessary, but it would
> > prevent possible XSS vulnerabilities.
>
> Ok, I rechecked this. For JSON included by a template directly in HTML page
> source, it is definitely required. Convince yourself here:
>
> http://escape.alf.nu/1
>
> Strongly recommend people who are interested in this topic spend a few hours
> working through this website.
Doh, I see. </script><script>
alert('Can you fix my dumb commit message?');//
More information about the Mercurial-devel
mailing list