User tests: Successful: Unsuccessful:
With the below change, slashes in markup, added as script option, are no longer correctly escaped.
Please also see: https://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2
When script or style data is the content of an element (SCRIPT and STYLE), the data begins immediately after the element start tag and ends at the first ETAGO ("</") delimiter followed by a name start character ([a-zA-Z]); note that this may not be the element's end tag. Authors should therefore escape "</" within the content. Escape mechanisms are specific to each scripting or style sheet language.
Remove the JSON_UNESCAPED_SLASHES
flag.
Add the following code to any controller action. e.g. DisplayController::display() in administrator/components/com_content/src/Controller/
\Joomla\CMS\Factory::getApplication()->getDocument()->addScriptOptions('test', '</script>');
Browse to the corresponding page.
It will break the resulting markup, because the slash in </script>
is not escaped.
The resulting markup correctly escapes the slash in </script>
.
Please select:
Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
Status | New | ⇒ | Pending |
Category | ⇒ | Libraries |
I do not know any good reason to store the <script>
tag in JS options.
I would close it as "do not won't to fix".
I do not know any good reason to store the <script> tag in JS options.
Hi, we had a Joomla 3rd party extension crash our users sites.
https://extensions.joomla.org/extension/content-export-article/
They add the article html into the JS options.
Is there a specific reason why you do not want the slashes to be escaped?
I can understand your frustration.
They add the article html into the JS options.
This is valid reason, but it is not a good reason, especialy when it contains script, that can lead to self xss.
Is there a specific reason why you do not want the slashes to be escaped?
Reduce size of json output. And to avoid unnecessary computation.
(Use of </script>
is very edge case.)
In any case I will not block this PR, when other maintainers decide we need it, it can be merged.
I have tested this item ✅ successfully on dd579f5
It is works but look my previous comment.
Is there a specific reason why you do not want the slashes to be escaped?
surely that is a security risk?
surely that is a security risk?
no, json does not need escaped slashes.
@Fedik