:html_safe is NOT html safe

[kaaboaye]

If json contains the following string <!-- anything here <script> it will comment out the rest of HTML braking the website.

The problem?

Adding the :html_safe to encode/2 doesn't escape this sequence.

Reproduction

<script>
const a = "<!-- <script>"
</script>
<h1>This is commented out</h1>

Why is that?

Because of the HTML Spec https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements

Fix in Jason

Fixed here https://github.com/michalmuskala/jason/commit/188e66b40d99ccb43cd4a67f142f083640e62ed7