Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
improved Mojo::JSON security by escaping the "/" character (closes #693)
  • Loading branch information
kraih committed Nov 24, 2014
1 parent d34b74c commit af40ccf
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 8 deletions.
1 change: 1 addition & 0 deletions Changes
@@ -1,6 +1,7 @@

5.65 2014-11-24
- Improved installable scripts to use #!perl. (jberger)
- Improved Mojo::JSON security by escaping the "/" character.
- Fixed bug in Mojo::DOM::CSS where selected results would also include the
current root element.

Expand Down
6 changes: 4 additions & 2 deletions lib/Mojo/JSON.pm
Expand Up @@ -244,7 +244,7 @@ sub _encode_object {

sub _encode_string {
my $str = shift;
$str =~ s!([\x00-\x1f\x{2028}\x{2029}\\"])!$REVERSE{$1}!gs;
$str =~ s!([\x00-\x1f\x{2028}\x{2029}\\"/])!$REVERSE{$1}!gs;
return "\"$str\"";
}

Expand Down Expand Up @@ -347,7 +347,9 @@ their values are true or false.
\0 -> false
The two Unicode whitespace characters C<u2028> and C<u2029> will always be
escaped to make JSONP easier.
escaped to make JSONP easier, and the character C</> to prevent XSS attacks.
"\x{2028}\x{2029}</script>" -> "\u2028\u2029<\/script>"
=head1 FUNCTIONS
Expand Down
12 changes: 6 additions & 6 deletions t/mojo/json.t
Expand Up @@ -146,7 +146,7 @@ is b($bytes)->decode('UTF-8'), "[\"hello\\u0003\x{0152}world\x{0152}!\"]",
$bytes = encode_json ["123abc"];
is $bytes, '["123abc"]', 'encode ["123abc"]';
$bytes = encode_json ["\x00\x1f \a\b/\f\r"];
is $bytes, '["\\u0000\\u001F \\u0007\\b/\f\r"]',
is $bytes, '["\\u0000\\u001F \\u0007\\b\/\f\r"]',
'encode ["\x00\x1f \a\b/\f\r"]';
$bytes = encode_json '';
is $bytes, '""', 'encode ""';
Expand Down Expand Up @@ -242,11 +242,11 @@ is_deeply $hash, {foo => 'c:\progra~1\mozill~1\firefox.exe'},
$bytes = encode_json(['a' x 32768]);
is_deeply decode_json($bytes), ['a' x 32768], 'successful roundtrip';

# u2028 and u2029
$bytes = encode_json ["\x{2028}test\x{2029}123"];
is index($bytes, b("\x{2028}")->encode), -1, 'properly escaped';
is index($bytes, b("\x{2029}")->encode), -1, 'properly escaped';
is_deeply decode_json($bytes), ["\x{2028}test\x{2029}123"],
# u2028, u2029 and slash
$bytes = encode_json ["\x{2028}test\x{2029}123</script>"];
is $bytes, '["\u2028test\u2029123<\/script>"]',
'escaped u2028, u2029 and slash';
is_deeply decode_json($bytes), ["\x{2028}test\x{2029}123</script>"],
'successful roundtrip';

# JSON without UTF-8 encoding
Expand Down

0 comments on commit af40ccf

Please sign in to comment.