code review 4701047: json: escape < and > in any JSON string. (issue4701047)

407 views
Skip to first unread message

dsym...@golang.org

unread,
Jul 13, 2011, 10:52:12 PM7/13/11
to r...@golang.org, golan...@googlegroups.com, re...@codereview.appspotmail.com
Reviewers: rsc,

Message:
Hello rsc (cc: golan...@googlegroups.com),

I'd like you to review this change to
https://go.googlecode.com/hg/


Description:
json: escape < and > in any JSON string.

Angle brackets can trigger some browser sniffers, causing
some forms of JSON output to be interpreted as HTML.
Escaping angle brackets closes that security hole.

Please review this at http://codereview.appspot.com/4701047/

Affected files:
M src/pkg/json/decode_test.go
M src/pkg/json/encode.go


Index: src/pkg/json/decode_test.go
===================================================================
--- a/src/pkg/json/decode_test.go
+++ b/src/pkg/json/decode_test.go
@@ -208,6 +208,18 @@
}
}

+func TestEscape(t *testing.T) {
+ const input = `"foobar"<html>`
+ const expected = `"\"foobar\"\u003chtml\u003e"`
+ b, err := Marshal(input)
+ if err != nil {
+ t.Fatalf("Marshal error: %v", err)
+ }
+ if s := string(b); s != expected {
+ t.Errorf("Encoding of [%s] was [%s], want [%s]", input, s, expected)
+ }
+}
+
func TestHTMLEscape(t *testing.T) {
b, err := MarshalForHTML("foobarbaz<>&quux")
if err != nil {
Index: src/pkg/json/encode.go
===================================================================
--- a/src/pkg/json/encode.go
+++ b/src/pkg/json/encode.go
@@ -337,7 +337,7 @@
start := 0
for i := 0; i < len(s); {
if b := s[i]; b < utf8.RuneSelf {
- if 0x20 <= b && b != '\\' && b != '"' {
+ if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' {
i++
continue
}
@@ -355,6 +355,8 @@
e.WriteByte('\\')
e.WriteByte('r')
default:
+ // This encodes bytes < 0x20 except for \n and \r,
+ // as well as < and >.
e.WriteString(`\u00`)
e.WriteByte(hex[b>>4])
e.WriteByte(hex[b&0xF])


Russ Cox

unread,
Jul 13, 2011, 11:00:20 PM7/13/11
to dsym...@golang.org, r...@golang.org, golan...@googlegroups.com, re...@codereview.appspotmail.com
comment why please

David Symonds

unread,
Jul 13, 2011, 11:17:35 PM7/13/11
to r...@golang.org, golan...@googlegroups.com, re...@codereview.appspotmail.com
On Thu, Jul 14, 2011 at 1:00 PM, Russ Cox <r...@golang.org> wrote:

> comment why please

Done.

r...@golang.org

unread,
Jul 13, 2011, 11:26:58 PM7/13/11
to dsym...@golang.org, golan...@googlegroups.com, re...@codereview.appspotmail.com
LGTM


http://codereview.appspot.com/4701047/

dsym...@golang.org

unread,
Jul 13, 2011, 11:30:15 PM7/13/11
to dsym...@golang.org, r...@golang.org, golan...@googlegroups.com, re...@codereview.appspotmail.com
*** Submitted as
http://code.google.com/p/go/source/detail?r=fa6814569009 ***

json: escape < and > in any JSON string.

Angle brackets can trigger some browser sniffers, causing
some forms of JSON output to be interpreted as HTML.
Escaping angle brackets closes that security hole.

R=rsc
CC=golang-dev
http://codereview.appspot.com/4701047


http://codereview.appspot.com/4701047/

Reply all
Reply to author
Forward
0 new messages