Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90141
Return-Path: <ajf@ajf.me>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83761 invoked from network); 5 Jan 2016 19:45:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Jan 2016 19:45:53 -0000
X-Host-Fingerprint: 2.218.134.247 unknown  
Received: from [2.218.134.247] ([2.218.134.247:9979] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id ED/F3-12097-D6D1C865 for <internals@lists.php.net>; Tue, 05 Jan 2016 14:45:51 -0500
Message-ID: <ED.F3.12097.D6D1C865@pb1.pair.com>
To: internals@lists.php.net
References: <CAF0C5SJ+67rT59JTgbn=FQG15rcUf0bHAg_L0Uw6_x0YdR7Pow@mail.gmail.com>
Date: Tue, 5 Jan 2016 19:45:45 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0)
 Gecko/20100101 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <CAF0C5SJ+67rT59JTgbn=FQG15rcUf0bHAg_L0Uw6_x0YdR7Pow@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 2.218.134.247
Subject: Re: Proposed change in json_encode+JSON_UNESCAPED_UNICODE behavior
From: ajf@ajf.me (Andrea Faulds)

Hi Eddie,

Eddie Kohler wrote:
> The U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR
> characters are allowed unescaped in JSON strings, but *not* allowed unescaped
> in Javascript. This is widely considered a minor wart in the JSON specification.
> <https://medium.com/joys-of-javascript/json-js-42a28471221d>
>
> As a result, the JSON_UNESCAPED_UNICODE flag is dangerous to use when
> generating HTML. For example, this will generate a Javascript error ("Unexpected
> token ILLEGAL") in the user's browser:
>
> ```
> $x = mb_convert_encoding('&#x2028;', 'UTF-8', 'HTML-ENTITIES');
> echo '<script>x = ', json_encode($x, JSON_UNESCAPED_UNICODE), ';</script>';
> ```
>
> The proposal is for `json_encode(..., JSON_UNESCAPED_UNICODE)` to
> escape the U+2028 and U+2029 characters as \u2028 and \u2029. A new flag,
> JSON_UNESCAPED_LINE_TERMINATORS, preserves the former behavior.
>
> It's important to note that this change *only* affects the non-default
> JSON_UNESCAPED_UNICODE flag.

This sounds reasonable. I'd like to ask, though, does this mean that 
without that flag, U+2028 and U+2029 are always escaped?

Thanks.
-- 
Andrea Faulds
https://ajf.me/