php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #41307 Extend json_encode to support XSS-safe output
Submitted: 2007-05-06 21:47 UTC Modified: 2010-09-16 15:58 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: marcus at synchromedia dot co dot uk Assigned:
Status: Wont fix Package: JSON related
PHP Version: 5.2.2 OS: n/a
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: marcus at synchromedia dot co dot uk
New email:
PHP Version: OS:

 

 [2007-05-06 21:47 UTC] marcus at synchromedia dot co dot uk
Description:
------------
It would be nice to add a json safety feature to prevent XSS attacks. 
There is already a popular implementation of the client end of this, 
which is described here: http://www.prototypejs.org/learn/json

My request is to add an optional param to json_encode so that it 
produces output which is compatible with that of prototype. Any other 
JS library will still be compatible wih that approach. In short, wrap 
json_encode output in comments like so:

$json_output = "/*-secure-\n".json_encode($myvar)."*/";

A new implementation might achieve this as:

$json_output = json_encode($myvar, true);

I'm suggesting doing this in the ext rather than in user code as it's 
something that will likely be used a lot, and the syntax is easy to 
get wrong.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-16 15:58 UTC] aharvey@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: JSON related
 [2010-09-16 15:58 UTC] aharvey@php.net
Given how easy this is to implement in user space and that it doesn't seem to be a terribly common way of formatting JSON data (not to mention that it's invalid per the spec), I think it's best to close this won't fix.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 20:01:30 2024 UTC