From dfd8582933798214d73c9ddb205d43bf2f1e3405 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Fri, 9 Feb 2024 15:02:02 +0100 Subject: encode < to \u003C in jsenv to prevent false positives on XSS detection --- itjs.class | 4 ++-- test/itjs.t | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/itjs.class b/itjs.class index e548cd8..37cefe6 100644 --- a/itjs.class +++ b/itjs.class @@ -54,7 +54,7 @@ static function json_headers($p = []) */ static function serialize($values) { - return json_encode($values, JSON_UNESCAPED_UNICODE | (it::is_devel() ? JSON_PRETTY_PRINT : 0)); + return json_encode($values, JSON_UNESCAPED_UNICODE | JSON_HEX_TAG | (it::is_devel() ? JSON_PRETTY_PRINT : 0)); } /** @@ -104,7 +104,7 @@ static function filecontents($filenames) $origget = $_GET; list($filename, $paramstr) = explode("?", $filename); if ($paramstr) - parse_str($paramstr, $_GET); + $_GET = it::parse_str($paramstr); $result .= it::replace(array('^1$' => ""), it::match('\.(js|css|htc|html)$', $filename) ? include_once($filename) : (file_exists($filename) ? it::file_get_contents($filename) : it_url::get($filename)), array('utf8' => false)); $_GET = $origget; } diff --git a/test/itjs.t b/test/itjs.t index caea542..76a41d1 100755 --- a/test/itjs.t +++ b/test/itjs.t @@ -57,7 +57,7 @@ is( is( itjs::serialize(""), - '"<\\/script>"', + '"\\u003C\\/script\\u003E"', "quote slashes" ); -- cgit v1.2.3