[PATCH 3 of 3] encoding: backport paranoid escaping from templatefilters.jsonescape()

Yuya Nishihara yuya at tcha.org
Sat Jan 16 23:00:48 CST 2016


On Sat, 16 Jan 2016 11:52:02 -0600, Matt Mackall wrote:
> On Sat, 2016-01-16 at 21:33 +0900, Yuya Nishihara wrote:
> > # HG changeset patch
> > # User Yuya Nishihara <yuya at tcha.org>
> > # Date 1451213891 -32400
> > #      Sun Dec 27 19:58:11 2015 +0900
> > # Node ID a090fb7be0b0415289ca2b6666c5f0cd8d912496
> > # Parent  b3b1bef76d54a4755a1b221a36b00253eefefd9a
> > encoding: backport paranoid escaping from templatefilters.jsonescape()
> > 
> > This was introduced by 55c763926a28. It shouldn't be necessary, but it would
> > prevent possible XSS vulnerabilities.
> 
> Ok, I rechecked this. For JSON included by a template directly in HTML page
> source, it is definitely required. Convince yourself here:
> 
> http://escape.alf.nu/1
> 
> Strongly recommend people who are interested in this topic spend a few hours
> working through this website.

Doh, I see. </script><script>
alert('Can you fix my dumb commit message?');//


More information about the Mercurial-devel mailing list