big-list-of-naughty-strings
big-list-of-naughty-strings copied to clipboard
Add <!--<script> to the list of strings
Following string should be on list of strings.
<!--<script>
The idea here is that such a string would cause denial of service (JavaScript fails to load) attack on certain JSON encoders. For instance, consider the following HTML page.
<!DOCTYPE html>
<script>
var p = "<!--<script>"
// </script>
document.write("Script doesn't close!")
</script>
Putting <!--<script>
in a string has an unusual property of making </script>
not work.
Some JSON encoders (such as one in PHP) encode slashes which prevents </script>
escape:
$ php -r 'echo json_encode("/");'
"\/"
This does nothing again <!--<script>
$ php -r 'echo json_encode("<!--<script>");'
"<!--<script>"