Deprecated: Function get_magic_quotes_gpc() is deprecated in /home/styllloz/public_html/qa-include/qa-base.php on line 1175

Warning: session_start(): Cannot start session when headers already sent in /home/styllloz/public_html/qa-include/app/users.php on line 162

Warning: Cannot modify header information - headers already sent by (output started at /home/styllloz/public_html/qa-include/qa-base.php:1175) in /home/styllloz/public_html/qa-include/app/users.php on line 1267

Warning: Cannot modify header information - headers already sent by (output started at /home/styllloz/public_html/qa-include/qa-base.php:1175) in /home/styllloz/public_html/qa-include/app/page.php on line 356
Is it safe to insert JSON in HTML - code-flow.club | Q&A

Is it safe to insert JSON in HTML


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
4 views
Is it safe to insert JSON strings received from the user, directly in the page via a script tag? Whether it is through special html sequences to break the JSON, making a XSS? The JSON is generated by PHP function json_encode.

Example.

$queryData = json_encode(array('query' => isset($_GET['query']) ? $_GET['query'] : ", ...));


Page template:
<?php echo 'var queryData = ' . $queryData . ';' ?>
by | 4 views

3 Answers

0 like 0 dislike
Valid JSON XSS can cause, json_encode produces, of course, valid. Another thing is that you continue with this JSONом'll do next — if the output to the page, it is necessary not to forget escapeth yourself.
by
0 like 0 dislike 
<?php\recho json_encode(array('tzt'=>'\\")); // gives {"tzt":"'"} echo json_encode(array('tzt'=>'\\"')); // gives {"tzt":"\\""} echo json_encode(array('tzt'=>'')); // gives {"tzt":"<\\/script>"} echo json_encode(array('tzt'=>'<\\\\/script>')); // gives {"tzt":"<\\\\\\/script>"} echo json_encode(array('tzt'=>"\\x0")); // gives {"tzt":"\\u0000"} ?>

There seems to be no way to break the JSON. But I just broke the parser Habrahabr: last """-quotes (in the comments) instead of a blank space should appear as "\\u" followed from "0000".
by
0 like 0 dislike
Though what and where to insert. JSON itself is transport — if the user in the comments hammered XSS, it honestly will be transferred via json seascape and all, but as soon as it as a piece of html inserted into the page text, then he will bite.
\r
Again, if you return the form filled in by the user, and it is back — Yes health even though what sticks. But in public — not good.
by

Related questions

0 like 0 dislike
1 answer
How to insert contents of a file from json to html?
asked Apr 20, 2019 by Mark54
0 like 0 dislike
1 answer
As the contents of json file to insert into the html or php page?
asked Apr 21, 2019 by Mark54
0 like 0 dislike
1 answer
Protection against changes in the DOM through the console?
asked Apr 13, 2019 by elevennine

Most popular tags

javascript php css html jquery wordpress python linux web-development mysql android windows java layout c# computer-networks node.js cpp iron yii vue.js 1C-Bitrix react laravel django nginx system-administration search-engine-optimization api ubuntu the-it-education. ajax sql programming hosting cms design apache google-chrome bootstrap Vkontakte macos google network-administration git laptops algorithms regular-expressions unity-game-engine email angular database network-equipment software wooсommerce debian .net ios information-security video law-in-it browsers books parsing wi-fi game-development career htaccess postgresql telegram mikrotik mobile-development ruby-on-rails the-domain-name-system modx Yandex c json opencart Habr freelance vpn asp.net windows-server symfony bots hard-drives math qt DIY audio frontend payment-system bash electronics gulp.js user-interface docker online-shopping
110,608 questions
257,186 answers
0 comments
35,182 users