rmannibucau commented on PR #122:
URL: https://github.com/apache/johnzon/pull/122#issuecomment-1997903610
Hi @gaellalire , I don't really get the fix - I understand you want to
prevent, let say `<script>alert('boom');</script>` to be in a JSON string but
escaping will not be a fix since the fix is in the DOM - or XML document
depending where you want the injection - so the fix belong to another layer
whatever you do since between johnzon and the next layer you can unescape IMHO.
Side note: if we go with a config we must also ensure the config unescape to
have the write/read symmetric at the minimum so will not help your case I fear.
Hope it makes sense.
If I missed a case don't hesitate to give an example/add a test to let me
understand more the use case.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
