Ember's research into JSON-in-html escaping.https://twitter.com/wycats/status/786708690879610882 …
-
-
which is why we decided to escape `<`, which eliminates ALL of the tokenizer states from https://www.w3.org/TR/html5/syntax.html#script-data-state …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
what's that showing though? where was the XSS? that's just the post-escaped output
-
maybe we're talking about different things? mine is for embedding in a script tag in *rendered* HTML
-
ie, it's for escaping server-side (which is why I was sensitive on perf)
-
like, what's the use case for dynamically putting a script tag in innerHTML (esp considering they don't execute)?
-
Ah. Ok. I see
. My bad – I apologize. The innerHTML threw me. You're absolutely right.
https://github.com/mhart/react-server-example/blob/master/server.js#L107 …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
What'd you think?