[issue18290] json encoder does not support JSONP/JavaScript safe escaping

Sun, 23 Jun 2013 21:46:44 -0700 

New submission from Antti Haapala:

JSON is not a strict superset of JavaScript 
(http://timelessrepo.com/json-isnt-a-javascript-subset). However, certain web 
technologies use JSON values as a part of JavaScript code (JSONP, inline 
<script> tags)... The Python json module, however, by default does not escape 
\u2028 or \u2029 when ensure_ascii is false. Furthermore, the / -> \/ escape is 
not supported by any switch.

Strictly speaking, json specification only requires that " be escaped to \" and 
\ to \\ - all other escaping is optional. The whitespace escapes only exist to 
aid handwriting and embedding values in HTML/code. Thus it can be argued that 
the choice of escapes used by json encoder is ill-adviced.

In an inline HTML <script></script> tag, no < cannot be escaped; however only 
the string '</script>' (or sometimes </) is interpreted as the "end of script". 
Thus a non-trivial XSS attack can be made by having a JSON stream 
{"key":"</script><script src=''></script>"} embedded in inline javascript. The 
only correct way to escape such content in inline html is to escape all / into 
\/.

The \u2028, \u2029 problem is more subtle and can break not only inline 
javascript but also JSONP. Thus there an incorrect value injected by a 
malicious or unwitting user to the database might break the entire protocol.

The current solution is to re-escape everything that comes out of JSON encoder. 
The best solution for python would be to make these 3 escapes default in the 
python json module (notice again that the current set of default escapes when 
ensure_ascii=False is chosen arbitrarily), or if not default, then at least 
they could be enabled by a switch. Furthermore, documentation should be updated 
appropriately, to explain why such escape is needed.

----------
components: Library (Lib)
messages: 191742
nosy: Ztane
priority: normal
severity: normal
status: open
title: json encoder does not support JSONP/JavaScript safe escaping
type: enhancement

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue18290>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to