My coworker recently introduced me to one of the most blatantly bad behaviors in web browser history. He introduced it thus:
Out[1]: simplejson.dumps({'foo': '<script>alert(document.cookie);</script>'}) | |
Out[2]: '{"foo": "<script>alert(document.cookie);</script>"}' |
The thing is, that there is nothing wrong with what simplejson is doing. The problem is that this little piece of json is not handled properly in IE and IE actually executes the javascript in the script tag regardless of the fact that it's inside a string. This can leave an application wide open to XSS attacks. IE seems to do this for at least the text/plain mime-type.