Is it safe to insert JSON in HTML

0 like 0 dislike
3 views
Is it safe to insert JSON strings received from the user, directly in the page via a script tag? Whether it is through special html sequences to break the JSON, making a XSS? The JSON is generated by PHP function json_encode.

Example.

$queryData = json_encode(array('query' => isset($_GET['query']) ? $_GET['query'] : ", ...));


Page template:
<?php echo 'var queryData = ' . $queryData . ';' ?>
by | 3 views

3 Answers

0 like 0 dislike
Valid JSON XSS can cause, json_encode produces, of course, valid. Another thing is that you continue with this JSONом'll do next — if the output to the page, it is necessary not to forget escapeth yourself.
by
0 like 0 dislike
<?php\recho json_encode(array('tzt'=>'\\")); // gives {"tzt":"'"} echo json_encode(array('tzt'=>'\\"')); // gives {"tzt":"\\""} echo json_encode(array('tzt'=>'')); // gives {"tzt":"<\\/script>"} echo json_encode(array('tzt'=>'<\\\\/script>')); // gives {"tzt":"<\\\\\\/script>"} echo json_encode(array('tzt'=>"\\x0")); // gives {"tzt":"\\u0000"} ?> 

There seems to be no way to break the JSON. But I just broke the parser Habrahabr: last """-quotes (in the comments) instead of a blank space should appear as "\\u" followed from "0000".
by
0 like 0 dislike
Though what and where to insert. JSON itself is transport — if the user in the comments hammered XSS, it honestly will be transferred via json seascape and all, but as soon as it as a piece of html inserted into the page text, then he will bite.
\r
Again, if you return the form filled in by the user, and it is back — Yes health even though what sticks. But in public — not good.
by

Related questions

0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
110,608 questions
257,186 answers
0 comments
28,667 users