html/template: investigate rewriting the JS parser #63371
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Comments
rolandshoemaker
added
the
NeedsInvestigation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The JS parser used for contextual escaping is a best effort implementation that implements a subset of the lexical grammar required for our purposes. That said it is rather complex, can be somewhat painful to work with, and diverges in places from the ECMAScript 262 specification.
We should investigate if we can rewrite the parser to produce a token stream using the 262 parsing rules, and apply escaping rules directly to the tokens themselves before rendering them. This would likely be a significant undertaking, but also would likely be significantly simpler to maintain in the long term, making the lives of the Security team in particular somewhat easier.
The text was updated successfully, but these errors were encountered: