php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #41307 Extend json_encode to support XSS-safe output
Submitted: 2007-05-06 21:47 UTC Modified: 2010-09-16 15:58 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: marcus at synchromedia dot co dot uk Assigned:
Status: Wont fix Package: JSON related
PHP Version: 5.2.2 OS: n/a
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: marcus at synchromedia dot co dot uk
New email:
PHP Version: OS:

 

 [2007-05-06 21:47 UTC] marcus at synchromedia dot co dot uk 
Description:
------------
It would be nice to add a json safety feature to prevent XSS attacks. 
There is already a popular implementation of the client end of this, 
which is described here: http://www.prototypejs.org/learn/json

My request is to add an optional param to json_encode so that it 
produces output which is compatible with that of prototype. Any other 
JS library will still be compatible wih that approach. In short, wrap 
json_encode output in comments like so:

$json_output = "/*-secure-\n".json_encode($myvar)."*/";

A new implementation might achieve this as:

$json_output = json_encode($myvar, true);

I'm suggesting doing this in the ext rather than in user code as it's 
something that will likely be used a lot, and the syntax is easy to 
get wrong.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-16 15:58 UTC] aharvey@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: JSON related
 [2010-09-16 15:58 UTC] aharvey@php.net 
Given how easy this is to implement in user space and that it doesn't seem to be a terribly common way of formatting JSON data (not to mention that it's invalid per the spec), I think it's best to close this won't fix.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 10:01:28 2024 UTC