Skip to content

Escape html comments in json #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 11, 2025
Merged

Escape html comments in json #408

merged 1 commit into from
Aug 11, 2025

Conversation

mpkorstanje
Copy link
Contributor

@mpkorstanje mpkorstanje commented Aug 10, 2025
edited
Loading

🤔 What's changed?

In brief, explained in more detail by Jon Surrel[1], both </script> and <!-- are interpreted by the html render. We caught the first one, but not the second.

The W3C recommendation is to replace the < with \x3C[2] instead of escaping the /.

  1. https://sirre.al/2025/08/06/safe-json-in-script-tags-how-not-to-break-a-site/
  2. https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements

🏷️ What kind of change is this?

  • 🐛 Bug fix (non-breaking change which fixes a defect)

📋 Checklist:

  • I agree to respect and uphold the Cucumber Community Code of Conduct
  • I've changed the behaviour of the code
    • I have added/updated tests to cover my changes.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly.
  • Users should know about my change
    • I have added an entry to the "Unreleased" section of the CHANGELOG, linking to this pull request.

@mpkorstanje mpkorstanje force-pushed the fix-escape-html-in-json branch 4 times, most recently from bfd7716 to 2f8f853 Compare August 10, 2025 11:34
@mpkorstanje
Escape html comments in json
fdbb90c 
In brief, explained in more detail by Jon Surrel[1], both `</script>`
and `<!--` are interpreted by the html render. We caught the first one,
but not the second.

The W3C recommendation is to escape the `<` instead with `\x3C`[2].

1. https://sirre.al/2025/08/06/safe-json-in-script-tags-how-not-to-break-a-site/
2. https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
@mpkorstanje mpkorstanje force-pushed the fix-escape-html-in-json branch from 2f8f853 to fdbb90c Compare August 10, 2025 11:38
gasparnagy
gasparnagy approved these changes Aug 11, 2025
View reviewed changes
Copy link
Member

@gasparnagy gasparnagy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.NET is good

@mpkorstanje mpkorstanje merged commit 1177850 into main Aug 11, 2025
15 checks passed
@mpkorstanje mpkorstanje deleted the fix-escape-html-in-json branch August 11, 2025 09:34
@mpkorstanje mpkorstanje mentioned this pull request Aug 12, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gasparnagy gasparnagy gasparnagy approved these changes

@luke-hill luke-hill luke-hill approved these changes

@davidjgoss davidjgoss Awaiting requested review from davidjgoss

@clrudolphi clrudolphi Awaiting requested review from clrudolphi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mpkorstanje @gasparnagy @luke-hill