Page MenuHomePhabricator

Disallow <! in <script>
ClosedPublic

Authored by vrana on Oct 16 2013, 3:49 PM.
Tags
None
Referenced Files
F18545306: D7329.id16504.diff
Mon, Sep 8, 1:45 AM
F18516263: D7329.id16504.diff
Fri, Sep 5, 12:23 PM
F18514577: D7329.id16503.diff
Fri, Sep 5, 10:38 AM
F18512612: D7329.id.diff
Fri, Sep 5, 8:19 AM
F18299682: D7329.id16503.diff
Aug 23 2025, 6:30 PM
F18284046: D7329.diff
Aug 23 2025, 2:27 AM
F18115433: D7329.id16504.diff
Aug 13 2025, 6:47 AM
F18112755: D7329.id.diff
Aug 12 2025, 8:20 PM

Details

Reviewers
epriestley
Commits
Restricted Diffusion Commit
rP29391a658e77: Disallow <! in <script>
Summary

HTML5 has this crazy script escaping states:

  • Script data escaped dash dash state
  • Script data double escaped state

https://communities.coverity.com/blogs/security/2012/11/16/did-i-do-that-html-5-js-escapers-3

Perhaps <! is too aggressive but I didn't spend much time searching for a more fine grained expression.

Test Plan

Searched for renderInlineScript().

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

Thanks!

Do you think we should also force json_encode() to escape !? I can't imagine it causing problems, so we could probably wait until it does...

I think this is fine. It should be dangerous only inside <script> and we replace all < before sending it there.