Issue 4701047: code review 4701047: json: escape < and > in any JSON string.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Issue 4701047: code review 4701047: json: escape < and > in any JSON string. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
14 years, 5 months ago by dsymonds

Modified:
14 years, 5 months ago

Reviewers:

CC:
rsc, golang-dev

Visibility:
Public.

Description

json: escape < and > in any JSON string. Angle brackets can trigger some browser sniffers, causing some forms of JSON output to be interpreted as HTML. Escaping angle brackets closes that security hole.

Patch Set 1 #

Patch Set 2 : diff -r 0f49d3fea8c9 https://go.googlecode.com/hg/ #

Patch Set 3 : diff -r 0f49d3fea8c9 https://go.googlecode.com/hg/ #

Patch Set 4 : diff -r 0f49d3fea8c9 https://go.googlecode.com/hg/ #

Patch Set 5 : diff -r e1305aa99e2e https://go.googlecode.com/hg/ #

Created: 14 years, 5 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+17 lines, -1 line)			Patch
	M	src/pkg/json/decode_test.go	View	1	1 chunk	+12 lines, -0 lines	0 comments	Download
	M	src/pkg/json/encode.go	View	1 2 3	2 chunks	+5 lines, -1 line	0 comments	Download

Messages

Total messages: 5

Expand All Messages | Collapse All Messages

dsymonds

Hello rsc (cc: golang-dev@googlegroups.com), I'd like you to review this change to https://go.googlecode.com/hg/

14 years, 5 months ago (2011-07-14 02:52:12 UTC) #1

dsymonds

On Thu, Jul 14, 2011 at 1:00 PM, Russ Cox <rsc@golang.org> wrote: > comment why ...

14 years, 5 months ago (2011-07-14 03:17:37 UTC) #3

dsymonds

14 years, 5 months ago (2011-07-14 03:30:15 UTC) #5

*** Submitted as http://code.google.com/p/go/source/detail?r=fa6814569009 ***

json: escape < and > in any JSON string.

Angle brackets can trigger some browser sniffers, causing
some forms of JSON output to be interpreted as HTML.
Escaping angle brackets closes that security hole.

R=rsc
CC=golang-dev
http://codereview.appspot.com/4701047

Expand All Messages | Collapse All Messages