diff --git a/simplejson/encoder.py b/simplejson/encoder.py index 903176097e7968b04c56aec5dc686a53715dae06_c2ltcGxlanNvbi9lbmNvZGVyLnB5..e205a697dcf757c138188eeeb516c90772b4d89a_c2ltcGxlanNvbi9lbmNvZGVyLnB5 100644 --- a/simplejson/encoder.py +++ b/simplejson/encoder.py @@ -6,5 +6,5 @@ # this should match any kind of infinity INFCHARS = re.compile(r'[infINF]') ESCAPE = re.compile(r'[\x00-\x19\\"\b\f\n\r\t]') -ESCAPE_ASCII = re.compile(r'([\\"]|[^\ -~])') +ESCAPE_ASCII = re.compile(r'([\\"/]|[^\ -~])') ESCAPE_DCT = { @@ -10,4 +10,6 @@ ESCAPE_DCT = { + # escape all forward slashes to prevent </script> attack + '/': '\\/', '\\': '\\\\', '"': '\\"', '\b': '\\b', diff --git a/simplejson/tests/test_attacks.py b/simplejson/tests/test_attacks.py new file mode 100644 index 0000000000000000000000000000000000000000..e205a697dcf757c138188eeeb516c90772b4d89a_c2ltcGxlanNvbi90ZXN0cy90ZXN0X2F0dGFja3MucHk= --- /dev/null +++ b/simplejson/tests/test_attacks.py @@ -0,0 +1,6 @@ +def test_script_close_attack(): + import simplejson + res = simplejson.dumps('</script>') + assert '</script>' not in res + res = simplejson.dumps(simplejson.loads('"</script>"')) + assert '</script>' not in res