JavaScriptEncoder escapes "-" what makes dates escaped
marwin1991 opened this issue · 6 comments
marwin1991 commented
I refer to this part of code:
if (mode == Mode.BLOCK || mode == Mode.HTML) {
// in <script> blocks, we need to prevent the browser from seeing
// "</anything>" and "<!--". To do so we escape "/" as "\/" and
// escape "-" as "\-". Both could be solved with a hex encoding
// on "<" but we figure "<" appears often in script strings and
// the backslash encoding is more readable than a hex encoding.
// (And note, a backslash encoding would not prevent the exploits
// on "</...>" and "<!--".
// In short "</script>" is escaped as "<\/script>" and "<!--" is
// escaped as "<!\-\-".
_validMasks[1] &= ~((1 << '/') | (1 << '-'));
}
The problem is with "-" becasue "-" is also used in date format f.e. 2000-01-01
I am not sure but maybe "--" should be escaped to "\--" ?
jmanico commented
cc @jeremylong any suggestions here?
jmanico commented
Why is escaping - a problem? This should be for the UI where we are just displaying data.
Can you give me a code snippet that triggered the error? I bet we can work around it.
jeremylong commented
I would be very curious about a valid use case where this would be a problem. Can an example be provided?
marwin1991 commented
From what I remember whe you have a date like 2022-03-25
it is ascaped to 2022\-03\-25
jeremylong commented
What I'm asking in code - why is this a problem?
jmanico commented
I do not see this as an issue per Jeremys POC. Please re-open if you think otherwise!