prevent </script> attack

git-svn-id: http://simplejson.googlecode.com/svn/trunk@23 a4795897-2c25-0410-b006-0d3caba88fa1

prevent </script> attack
e205a697dcf7 · Bob Ippolito · 903176097e79 · e205a697 · e205a697
Commit e205a697dcf7 authored 19 years ago by Bob Ippolito
--- a/simplejson/encoder.py
+++ b/simplejson/encoder.py
@@ -6,5 +6,5 @@
 # this should match any kind of infinity
 INFCHARS = re.compile(r'[infINF]')
 ESCAPE = re.compile(r'[\x00-\x19\\"\b\f\n\r\t]')
-ESCAPE_ASCII = re.compile(r'([\\"]|[^\ -~])')
+ESCAPE_ASCII = re.compile(r'([\\"/]|[^\ -~])')
 ESCAPE_DCT = {
@@ -10,4 +10,6 @@
 ESCAPE_DCT = {
+    # escape all forward slashes to prevent </script> attack
+    '/': '\\/',
    '\\': '\\\\',
    '"': '\\"',
    '\b': '\\b',

--- a/simplejson/tests/test_attacks.py
+++ b/simplejson/tests/test_attacks.py
+def test_script_close_attack():
+    import simplejson
+    res = simplejson.dumps('</script>')
+    assert '</script>' not in res
+    res = simplejson.dumps(simplejson.loads('"</script>"'))
+    assert '</script>' not in res