what is the "JavaScript line terminators"?

Question

what is the "JavaScript line terminators"?

lewis617 opened this issue 8 years ago · comments

Eric Ferraiuolo · Answer 1 · Fri Jul 08 2016 00:40:14 GMT+0800 (China Standard Time)

JavaScript has line terminator characters which imply the end of a statement and cause automatic semicolon insertion (ASI). This is a potential attach vector as it can cause a script to be terminated early and malicious code to be injected. Therefore, this lib will escape JavaScript line terminators in data strings which will cause the premature end of a statement.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Lexical_grammar#Line_terminators

Wout Mertens · Answer 2 · Tue Mar 21 2017 01:36:39 GMT+0800 (China Standard Time)

I tried seeing what JSON.stringify did with them, but it seems to ignore them?

> q="1\n2\r3\u20284\u20295\u0027"
"1
2
3 4 5'"
> JSON.stringify(q)
""1\n2\r3 4 5'""

Is replacing line terminators necessary when escaping JSON?

Mikael Finstad · Answer 3 · Wed Aug 11 2021 13:46:41 GMT+0800 (China Standard Time)

@wmertens it does not ignore them:

Buffer.from("1\n2\r3\u20284\u20295\u0027")
<Buffer 31 0a 32 0d 33 e2 80 a8 34 e2 80 a9 35 27>

Buffer.from(JSON.stringify("1\n2\r3\u20284\u20295\u0027"))
<Buffer 22 31 5c 6e 32 5c 72 33 e2 80 a8 34 e2 80 a9 35 27 22>

Wout Mertens · Answer 4 · Wed Aug 11 2021 14:48:49 GMT+0800 (China Standard Time)

@mifi I don't understand? You showed that the hex representation is exactly the string representation I showed above.

Re-reading the issue I should check if the JSON-stringified string results in line breaks when used in a script tag in HTML. Will the JS engine terminate the string early? Given that double quotes can't span across lines, it seems likely.

Mikael Finstad · Answer 5 · Wed Aug 11 2021 15:34:22 GMT+0800 (China Standard Time)

I lined up the non-json-encoded (1), json encoded (2) and ascii representation of the json encoded (3)

1:        31   0a      32   0d      33   e2 80 a8   34   e2 80 a9   35   27

2:    22  31   5c 6e   32   5c 72   33   e2 80 a8   34   e2 80 a9   35   27      22

3:    "   1    \  n    2    \  r    3    \u2028     4    \u2029     5    \u0027  "

Doesn't the e2 80 a8 and e2 80 a9 get passed right thru?

Wout Mertens · Answer 6 · Wed Aug 11 2021 16:00:13 GMT+0800 (China Standard Time)

Yes indeed, so stringify ignores them and passes then right through :)

I didn't understand why that was a problem back then, but now I do.

I forgot about this, I need to handle this in jsurl2. Thanks for reminding me!

Mikael Finstad · Answer 7 · Wed Aug 11 2021 16:05:50 GMT+0800 (China Standard Time)

ah i thought by "ignored" you meant that they are stripped away, because in your example they apparently disappeared (invisible chars). very sneaky all these hidden characters 👻

Wout Mertens · Answer 8 · Wed Aug 11 2021 18:53:48 GMT+0800 (China Standard Time)

Oh and https://github.com/wmertens/jsurl2 already handles it, I forgot I added that 😅