Deprecated: Function get_magic_quotes_gpc() is deprecated in /home/styllloz/public_html/qa-include/qa-base.php on line 1175

Warning: session_start(): Cannot start session when headers already sent in /home/styllloz/public_html/qa-include/app/users.php on line 162

Warning: Cannot modify header information - headers already sent by (output started at /home/styllloz/public_html/qa-include/qa-base.php:1175) in /home/styllloz/public_html/qa-include/app/users.php on line 1267

Warning: Cannot modify header information - headers already sent by (output started at /home/styllloz/public_html/qa-include/qa-base.php:1175) in /home/styllloz/public_html/qa-include/app/page.php on line 356
Is it safe to insert JSON in HTML - code-flow.club | Q&A

Is it safe to insert JSON in HTML


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
4 views
Is it safe to insert JSON strings received from the user, directly in the page via a script tag? Whether it is through special html sequences to break the JSON, making a XSS? The JSON is generated by PHP function json_encode.

Example.

$queryData = json_encode(array('query' => isset($_GET['query']) ? $_GET['query'] : ", ...));


Page template:
<?php echo 'var queryData = ' . $queryData . ';' ?>
by | 4 views

3 Answers

0 like 0 dislike
Valid JSON XSS can cause, json_encode produces, of course, valid. Another thing is that you continue with this JSONом'll do next — if the output to the page, it is necessary not to forget escapeth yourself.
by
0 like 0 dislike
<?php\recho json_encode(array('tzt'=>'\\")); // gives {"tzt":"'"} echo json_encode(array('tzt'=>'\\"')); // gives {"tzt":"\\""} echo json_encode(array('tzt'=>'')); // gives {"tzt":"<\\/script>"} echo json_encode(array('tzt'=>'<\\\\/script>')); // gives {"tzt":"<\\\\\\/script>"} echo json_encode(array('tzt'=>"\\x0")); // gives {"tzt":"\\u0000"} ?> 

There seems to be no way to break the JSON. But I just broke the parser Habrahabr: last """-quotes (in the comments) instead of a blank space should appear as "\\u" followed from "0000".
by
0 like 0 dislike
Though what and where to insert. JSON itself is transport — if the user in the comments hammered XSS, it honestly will be transferred via json seascape and all, but as soon as it as a piece of html inserted into the page text, then he will bite.
\r
Again, if you return the form filled in by the user, and it is back — Yes health even though what sticks. But in public — not good.
by

Related questions

0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
110,608 questions
257,186 answers
0 comments
35,182 users