Edit report at http://bugs.php.net/bug.php?id=41307&edit=1
ID: 41307 Updated by: ahar...@php.net Reported by: marcus at synchromedia dot co dot uk Summary: Extend json_encode to support XSS-safe output -Status: Open +Status: Wont fix Type: Feature/Change Request -Package: Feature/Change Request +Package: JSON related Operating System: n/a PHP Version: 5.2.2 Block user comment: N New Comment: Given how easy this is to implement in user space and that it doesn't seem to be a terribly common way of formatting JSON data (not to mention that it's invalid per the spec), I think it's best to close this won't fix. Previous Comments: ------------------------------------------------------------------------ [2007-05-06 21:47:03] marcus at synchromedia dot co dot uk Description: ------------ It would be nice to add a json safety feature to prevent XSS attacks. There is already a popular implementation of the client end of this, which is described here: http://www.prototypejs.org/learn/json My request is to add an optional param to json_encode so that it produces output which is compatible with that of prototype. Any other JS library will still be compatible wih that approach. In short, wrap json_encode output in comments like so: $json_output = "/*-secure-\n".json_encode($myvar)."*/"; A new implementation might achieve this as: $json_output = json_encode($myvar, true); I'm suggesting doing this in the ext rather than in user code as it's something that will likely be used a lot, and the syntax is easy to get wrong. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=41307&edit=1
