summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUrban Müller2024-02-09 15:02:02 +0100
committerUrban Müller2024-02-09 15:02:02 +0100
commitdfd8582933798214d73c9ddb205d43bf2f1e3405 (patch)
tree5d1a66d87e5ea45850abb785e4c7ab1ba27bbbd0
parent2b9648ffc9970d15d2019a561336def3c52e1210 (diff)
downloaditools-dfd8582933798214d73c9ddb205d43bf2f1e3405.tar.gz
itools-dfd8582933798214d73c9ddb205d43bf2f1e3405.tar.bz2
itools-dfd8582933798214d73c9ddb205d43bf2f1e3405.zip
encode < to \u003C in jsenv to prevent false positives on XSS detection
-rw-r--r--itjs.class4
-rwxr-xr-xtest/itjs.t2
2 files changed, 3 insertions, 3 deletions
diff --git a/itjs.class b/itjs.class
index e548cd8..37cefe6 100644
--- a/itjs.class
+++ b/itjs.class
@@ -54,7 +54,7 @@ static function json_headers($p = [])
*/
static function serialize($values)
{
- return json_encode($values, JSON_UNESCAPED_UNICODE | (it::is_devel() ? JSON_PRETTY_PRINT : 0));
+ return json_encode($values, JSON_UNESCAPED_UNICODE | JSON_HEX_TAG | (it::is_devel() ? JSON_PRETTY_PRINT : 0));
}
/**
@@ -104,7 +104,7 @@ static function filecontents($filenames)
$origget = $_GET;
list($filename, $paramstr) = explode("?", $filename);
if ($paramstr)
- parse_str($paramstr, $_GET);
+ $_GET = it::parse_str($paramstr);
$result .= it::replace(array('^1$' => ""), it::match('\.(js|css|htc|html)$', $filename) ? include_once($filename) : (file_exists($filename) ? it::file_get_contents($filename) : it_url::get($filename)), array('utf8' => false));
$_GET = $origget;
}
diff --git a/test/itjs.t b/test/itjs.t
index caea542..76a41d1 100755
--- a/test/itjs.t
+++ b/test/itjs.t
@@ -57,7 +57,7 @@ is(
is(
itjs::serialize("</script>"),
- '"<\\/script>"',
+ '"\\u003C\\/script\\u003E"',
"quote slashes"
);