-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider escaping lone surrogates #13
Comments
Thanks! I opened #17, but I have to confess I don't really know what I'm doing. Does it look like a reasonable solution? Essentially it replaces |
Note that with https://github.com/tc39/proposal-well-formed-stringify, |
Closing now that #17 is merged. Cheers, Rich! |
Would jsesc make sense in this list? https://github.com/Rich-Harris/devalue#see-also |
yeah! added it |
Lone surrogates are not valid in UTF-16 or UTF-8, and can be (and have been) used to break such parsers. To protect against this, just escape them.
FWIW, I worked on https://github.com/mathiasbynens/jsesc which shares devalue’s security goals (although it does not compete with devalue, as it doesn’t aim to support cycles).
The text was updated successfully, but these errors were encountered: