encoding/json: Compact should be consistent with escaping #34070
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
As requested by @mvdan I'm filing an issue to decide on the escaping behaviour of
Compact
for go1.14.#30357 was originally filed as
Compact
escapes U+2028 and U+2029 which increases the output size without being documented. The fix for that issue was documentation (CL 173417) that turned out to be incorrect and was reverted by CL 188717.Compact
currently escapes U+2028 and U+2029, but it doesn't escape <, > or &.Compact
is thus only performing a subset of HTML escaping and it's output is not safe to embed inside HTML<script>
tags as CL 173417 had documented.If I understand correctly, the escaping of U+2028 and U+2029 was added not for HTML but rather for JavaScript interpreters that might consume a directly embedded JSON literal.
The options seem to be:
Stop performing any escaping in
Compact
as the original issue requested. The escaping of escaping U+2028 and U+2029 was added in CL 10883045, and reading over the comments, it does seem like it was intentional to haveCompact
escape U+2028 and U+2029.Have
Compact
properly perform HTML escaping, asHTMLEscape
, does and be documented as such. This is likely the safest option, as the only consequence to overly aggressive escaping is larger encoded JSON.Document that
Compact
escapes U+2028 and U+2029, but not <, > or & and is thus not safe to embed in HTML without separately callingHTMLEscape
.Do nothing~
/cc @PhilipBorgesen @rsc @bradfitz
The text was updated successfully, but these errors were encountered: