diff options
| author | Urban Müller | 2024-02-09 15:02:02 +0100 |
|---|---|---|
| committer | Urban Müller | 2024-02-09 15:02:02 +0100 |
| commit | dfd8582933798214d73c9ddb205d43bf2f1e3405 (patch) | |
| tree | 5d1a66d87e5ea45850abb785e4c7ab1ba27bbbd0 | |
| parent | 2b9648ffc9970d15d2019a561336def3c52e1210 (diff) | |
| download | itools-dfd8582933798214d73c9ddb205d43bf2f1e3405.tar.gz itools-dfd8582933798214d73c9ddb205d43bf2f1e3405.tar.bz2 itools-dfd8582933798214d73c9ddb205d43bf2f1e3405.zip | |
encode < to \u003C in jsenv to prevent false positives on XSS detection
| -rw-r--r-- | itjs.class | 4 | ||||
| -rwxr-xr-x | test/itjs.t | 2 |
2 files changed, 3 insertions, 3 deletions
@@ -54,7 +54,7 @@ static function json_headers($p = []) */ static function serialize($values) { - return json_encode($values, JSON_UNESCAPED_UNICODE | (it::is_devel() ? JSON_PRETTY_PRINT : 0)); + return json_encode($values, JSON_UNESCAPED_UNICODE | JSON_HEX_TAG | (it::is_devel() ? JSON_PRETTY_PRINT : 0)); } /** @@ -104,7 +104,7 @@ static function filecontents($filenames) $origget = $_GET; list($filename, $paramstr) = explode("?", $filename); if ($paramstr) - parse_str($paramstr, $_GET); + $_GET = it::parse_str($paramstr); $result .= it::replace(array('^1$' => ""), it::match('\.(js|css|htc|html)$', $filename) ? include_once($filename) : (file_exists($filename) ? it::file_get_contents($filename) : it_url::get($filename)), array('utf8' => false)); $_GET = $origget; } diff --git a/test/itjs.t b/test/itjs.t index caea542..76a41d1 100755 --- a/test/itjs.t +++ b/test/itjs.t @@ -57,7 +57,7 @@ is( is( itjs::serialize("</script>"), - '"<\\/script>"', + '"\\u003C\\/script\\u003E"', "quote slashes" ); |