big-list-of-naughty-strings icon indicating copy to clipboard operation
big-list-of-naughty-strings copied to clipboard

Published 20 hours ago verified publisher icon minimaxir

Add <!--<script> to the list of strings

Open KamilaBorowska opened this issue 3 years ago • 0 comments

Following string should be on list of strings.

<!--<script>

The idea here is that such a string would cause denial of service (JavaScript fails to load) attack on certain JSON encoders. For instance, consider the following HTML page.

<!DOCTYPE html>
<script>
var p = "<!--<script>"
// </script>
document.write("Script doesn't close!")
</script>

Putting <!--<script> in a string has an unusual property of making </script> not work.

Some JSON encoders (such as one in PHP) encode slashes which prevents </script> escape:

$ php -r 'echo json_encode("/");'
"\/"

This does nothing again <!--<script>

$ php -r 'echo json_encode("<!--<script>");'
"<!--<script>"

KamilaBorowska avatar Sep 30 '20 09:09 KamilaBorowska