JavaScriptEncoder escapes "-" what makes dates escaped

Question

JavaScriptEncoder escapes "-" what makes dates escaped

marwin1991 opened this issue 4 years ago · 6 comments

marwin1991 commented 4 years ago

I refer to this part of code:

if (mode == Mode.BLOCK || mode == Mode.HTML) {
            // in <script> blocks, we need to prevent the browser from seeing
            // "</anything>" and "<!--". To do so we escape "/" as "\/" and
            // escape "-" as "\-".  Both could be solved with a hex encoding
            // on "<" but we figure "<" appears often in script strings and
            // the backslash encoding is more readable than a hex encoding.
            // (And note, a backslash encoding would not prevent the exploits
            // on "</...>" and "<!--".
            // In short "</script>" is escaped as "<\/script>" and "<!--" is
            // escaped as "<!\-\-".
            _validMasks[1] &= ~((1 << '/') | (1 << '-'));
        }

The problem is with "-" becasue "-" is also used in date format f.e. 2000-01-01

I am not sure but maybe "--" should be escaped to "\--" ?

Answer 1 · 2021-07-20T16:14:59.000Z

cc @jeremylong any suggestions here?

Answer 2 · 2022-03-22T15:18:33.000Z

Why is escaping - a problem? This should be for the UI where we are just displaying data.

Can you give me a code snippet that triggered the error? I bet we can work around it.

Answer 3 · 2022-03-25T12:11:33.000Z

I would be very curious about a valid use case where this would be a problem. Can an example be provided?

Answer 4 · 2022-03-25T12:33:03.000Z

From what I remember whe you have a date like 2022-03-25 it is ascaped to 2022\-03\-25

Answer 5 · 2022-03-25T13:01:46.000Z

What I'm asking in code - why is this a problem?

See https://jsfiddle.net/jeremy_long/we3f9dxm/1/

Answer 6 · 2022-05-04T12:14:46.000Z

I do not see this as an issue per Jeremys POC. Please re-open if you think otherwise!