Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33513 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65516 invoked by uid 1010); 29 Nov 2007 20:41:07 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 65500 invoked from network); 29 Nov 2007 20:41:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Nov 2007 20:41:07 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com Received: from [204.11.219.139] ([204.11.219.139:42264] helo=mail.lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 83/A8-32949-2E32F474 for ; Thu, 29 Nov 2007 15:41:07 -0500 Received: from trainburn-lm-corp-yahoo-com.local (186.099.dsl.brs.iprimus.net.au [211.26.64.186]) (authenticated bits=0) by mail.lerdorf.com (8.14.2/8.14.2/Debian-1) with ESMTP id lATKeq5B017535 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 29 Nov 2007 12:40:57 -0800 Message-ID: <474F23D4.8060306@lerdorf.com> Date: Fri, 30 Nov 2007 06:40:52 +1000 User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Sara Golemon CC: internals@lists.php.net References: <28.76.32949.5211F474@pb1.pair.com> In-Reply-To: <28.76.32949.5211F474@pb1.pair.com> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/4954/Thu Nov 29 09:46:26 2007 on colo.lerdorf.com X-Virus-Status: Clean Subject: Re: [PHP-DEV] Proposed feature for json_encode() From: rasmus@lerdorf.com (Rasmus Lerdorf) Sara Golemon wrote: > While it's technically "safe" to include user supplied data in > json_encode() serialized values. The fact that characters such as <>&' > remain as is means there room for some as-yet unidentified problem > either in the browser's rendering or (more likely) elsewhere in one's > codebase for this data to get into the wrong context and be executed. > > To that end, the attached patch allows the caller to be paranoid about > their data and stipulate that <>&' should be encoded to hex references > instead. This doesn't stop a web developer from dropping that content > into an innerHTML of course, but it's one more rope holding the ship > together. > > Obviously, since this adds five characters per pedantically escaped > character, it's not something you'd want on by default, so the normal > behavior would be to leave them alone. > > echo json_encode(""); > "" > > echo json_encode("", JSON_HEX_TAG); > "\u003Cfoo\u003E" > > echo json_encode("", JSON_HEX_TAG | JSON_HEX_APOS); > "\u003Cfoo bar=\u0027baz\u0027\u003E" This was on my TODO, but you are way more productive than I am as witnessed by the 3 copies of this proposal we got. ;) -Rasmus