html_safe option protects against comment injection

When encoding with the html_safe option, also encode `<` into `\\u003C`
to protect against injecting `<!--` HTML comments into JSON.

Closes michalmuskala#109

Author: michalmuskala

lib/encode.ex

@@ -261,7 +261,7 @@ defmodule Jason.Encode do
   slash_escapes = Enum.zip('\b\t\n\f\r\"\\', 'btnfr"\\')
   surogate_escapes = Enum.zip([0x2028, 0x2029], ["\\u2028", "\\u2029"])
   ranges = [{0x00..0x1F, :unicode} | slash_escapes]
-  html_ranges = [{0x00..0x1F, :unicode}, {?/, ?/} | slash_escapes]
+  html_ranges = [{0x00..0x1F, :unicode}, {?<, :unicode}, {?/, ?/} | slash_escapes]
   escape_jt = Codegen.jump_table(html_ranges, :error)
 
   Enum.each(escape_jt, fn

test/encode_test.exs

@@ -30,8 +30,9 @@ defmodule Jason.EncoderTest do
     assert to_json("☃a", escape: :unicode_safe) == ~s("\\u2603a")
     assert to_json("𝄞b", escape: :unicode_safe) == ~s("\\uD834\\uDD1Eb")
     assert to_json("\u2028\u2029abc", escape: :javascript_safe) == ~s("\\u2028\\u2029abc")
-    assert to_json("</script>", escape: :html_safe) == ~s("<\\/script>")
-    assert to_json(~s(<script>var s = "\u2028\u2029";</script>), escape: :html_safe) == ~s("<script>var s = \\\"\\u2028\\u2029\\\";<\\/script>")
+    assert to_json("</script>", escape: :html_safe) == ~s("\\u003C\\/script>")
+    assert to_json(~s(<script>var s = "\u2028\u2029";</script>), escape: :html_safe) == ~s("\\u003Cscript>var s = \\\"\\u2028\\u2029\\\";\\u003C\\/script>")
+    assert to_json("<!-- fake comment", escape: :html_safe) == ~s("\\u003C!-- fake comment")
     assert to_json("áéíóúàèìòùâêîôûãẽĩõũ") == ~s("áéíóúàèìòùâêîôûãẽĩõũ")
     assert to_json("a\u2028a", escape: :javascript_safe) == ~s("a\\u2028a")
     assert to_json("a\u2028a", escape: :html_safe) == ~s("a\\u2028a")