Obsolete
Status Update
No update yet.
Comments
rs...@chromium.org
Got an issue? Take it up with the spec :) Pretty sure this is WontFix for "It's what the spec says"
http://people.mozilla.org/~jorendorff/es6-draft.html#sec-quote
See step d.
See step d.
ma...@qiwi.be
Escaping not just `>` but also lone surrogate code points and possibly all non-ASCII code points in `JSON.stringify()`, like https://mths.be/jsesc does (cfr. https://speakerdeck.com/mathiasbynens/hacking-with-unicode?slide=135 ), has been discussed on the es-discuss mailing list and during TC39 meetings before. The unfortunate resolution was that it is a compatibility risk: there might be code in the wild that relies on the unescaped behavior. It won’t be changed until someone comes up with hard data that indicates otherwise, or until someone is willing to actually ship a modified `JSON.stringify` to see what breaks.
ha...@chromium.org
[Automated message] This issue does not seem to be a V8 issue. The label Cr-Blink-JavaScript will be removed next week. The label Cr-Blink will be added instead. If you think that this issue is correctly labeled as a V8 issue please contact hablich@.
ha...@chromium.org
[Automated message] This issue does not seem to be a V8 issue. The label Cr-Blink-JavaScript is removed. The label Cr-Blink is added instead. If you think that this issue was correctly labeled as a V8 issue please contact hablich@.
rs...@chromium.org
[Empty comment from Monorail migration]
ha...@chromium.org
Andi and/or Dimitri, could have have a look please?
rs...@chromium.org
To be clear: This is a spec issue first, imementation second (if and only if the spec changes). The people involved in TC39 should triage this first.
do...@chromium.org
Yes, this is WontFix. V8 is implementing the spec here. I anticipate changing the spec would not be accepted, as this would break a lot of code. But you can submit a proposal for changing it to the rest of the committee by emailing es-discuss@mozilla.org.
is...@google.com
This issue was migrated from crbug.com/chromium/412180?no_tracker_redirect=1
[Auto-CCs applied]
[Multiple monorail components: Blink>JavaScript>Language, Security]
[Monorail components added to Component Tags custom field.]
[Auto-CCs applied]
[Multiple monorail components: Blink>JavaScript>Language, Security]
[Monorail components added to Component Tags custom field.]
Description
Version: 37.0.2062.76 beta
OS: All
What steps will reproduce the problem?
What is the expected output? What do you see instead?
I see "<" I expect to see "\u003c"
Please use labels and text to provide additional information.
This would be nice because this allows someone writing an HTTP server in JavaScript as a Chrome app to write JSONP as responses without introducing XSS.
At the moment, someone could easily sneak HTML if the server doesn't have the right Content Type (for Chrome, some other browsers also need Content-Disposition and such), and even if the CT is right for any browser by injecting a PDF file.
This is the default behavior for many of the JSON encoding APIs we have, so it would be nice to do it for this too.