You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The JS parser used for contextual escaping is a best effort implementation that implements a subset of the lexical grammar required for our purposes. That said it is rather complex, can be somewhat painful to work with, and diverges in places from the ECMAScript 262 specification.
We should investigate if we can rewrite the parser to produce a token stream using the 262 parsing rules, and apply escaping rules directly to the tokens themselves before rendering them. This would likely be a significant undertaking, but also would likely be significantly simpler to maintain in the long term, making the lives of the Security team in particular somewhat easier.
The text was updated successfully, but these errors were encountered:
The JS parser used for contextual escaping is a best effort implementation that implements a subset of the lexical grammar required for our purposes. That said it is rather complex, can be somewhat painful to work with, and diverges in places from the ECMAScript 262 specification.
We should investigate if we can rewrite the parser to produce a token stream using the 262 parsing rules, and apply escaping rules directly to the tokens themselves before rendering them. This would likely be a significant undertaking, but also would likely be significantly simpler to maintain in the long term, making the lives of the Security team in particular somewhat easier.
The text was updated successfully, but these errors were encountered: