29665 2016-05-26 10:05:56 +0000 [SER31] JSON escaping 2016-07-21 18:54:57 +0000 1 1 1 Unclassified XPath / XQuery / XSLT Serialization 3.1 Candidate Recommendation PC Windows NT RESOLVED FIXED https://www.w3.org/XML/Group/qtspecs/specifications/xslt-xquery-serialization-31/html/Overview.html#json-output P2 normal --- 1 tim cmsmcq andrew_coleman mike public-qt-comments oldest_to_newest 126580 0 tim 2016-05-26 10:05:56 +0000 The rules for JSON encoding state: "JSON escaping replaces the characters quotation mark, backspace, form-feed, newline, carriage return, or tab by the corresponding JSON escape sequences \", \b, \f, \n, \r, or \t respectively, and any other codepoint in the range 1-31 or 127-159 by an escape in the form \uHHHH where HHHH is the hexadecimal representation of the codepoint value. Escaping is also applied to any characters that cannot be represented in the selected encoding." This appears to omit the escaping of reverse-solidus (codepoint 92) as \\. It also omits the escaping of solidus (character 47). Reading up on the subject [1], it appears it is advisable to escape this character so that it is safe to embed the JSON substring "</script>" in HTML. [1] http://andowebsit.es/blog/noteslog.com/post/the-solidus-issue/ 126925 1 andrew_coleman 2016-07-08 08:05:52 +0000 The editors agree and propose to revise the above paragraph as follows: "JSON escaping replaces the characters quotation mark, backspace, form-feed, newline, carriage return, tab, reverse solidus, or solidus by the corresponding JSON escape sequences \", \b, \f, \n, \r, \t, \\, or \/ respectively, and any other codepoint in the range 1-31 or 127-159 by an escape in the form \uHHHH where HHHH is the hexadecimal representation of the codepoint value. Escaping is also applied to any characters that cannot be represented in the selected encoding." 126940 2 mike 2016-07-10 09:43:37 +0000 Should the same change (escaping a solidus) be made to the xml-to-json() function? 126965 3 tim 2016-07-18 10:17:21 +0000 (In reply to Michael Kay from comment #2) > Should the same change (escaping a solidus) be made to the xml-to-json() > function? Yes. I think test case xml-to-json-017 will need to change. 127027 4 andrew_coleman 2016-07-21 18:54:57 +0000 At the meeting on 2016-07-19, the WG agreed to adopt the proposal in comment #1. The changes have now been applied