Echo JS 0.11.0

<~>
adrianoprea 3100 days ago. link parent 1 point
You are right, that is an experiment, as I have clarified in many of the comments/discussion threads I've had on Linkedin, the blog comments section etc. But, I would never use something like that for user inserted data. If I were to ever use something like that in production, it would be for data structures that I created myself. The "person" example was the easiest to use. In the meantime, you have to sanitize everything, and you have a bigger problem if you allow your users to set names like that and you don't encode them.
As a closing thought, nothing comes out of JSON.parse when the object looks like this, besides an error that is easy to fix:

let person = {
  name: 'function f(){},alert(&quot;XSS&quot;)'
};

Cheers.

Replies