Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

All JSON serializers worth their salt can serialize a single string to JSON, so the simplest way is to do json.dumps(the_string) and mark the string as safe so that it doesn't get escaped twice.


Simple JSON encoding alone is not sufficient if you put the output into a <script> tag.

<script>const user_input = "</script><script>alert(1)//"; ...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: