Possibly support '\/' escaping vs \u002F

[iwc]

We have a project that uses express-state that also uses some filtering infrastructure that scans emitted page content for certain types of url replacement.

The filtering code can handle / escapes, but not the \u002F escapes for the '/' character.

Could we possibly add an option to support the alternate escape format?

[ericf]

We're following the OWASP HTML escaping recommendations which specifically states that you should avoid escaping with backslashes.

The thing we're trying to avoid is the browser interpreting UGC as HTML, since Express State outputs literal JavaScript code inside of an inline <script> we have to be very cautious of a malicious party prematurely closing the </script> which opens up the XSS. By simply using a backslash to escape, the browser will still interpret <\/script> as a closing script tag.

It sounds like you need to updating your filtering code to properly work with UTF-8 content since "\u002F" === "/".