Ian Lewis

Engineer in Tokyo

IE, JSON, and the script tag

Feb 14, 2009

tech
programming
javascript
security

My coworker recently introduced me to one of the most blatantly bad behaviors in web browser history. He introduced it thus:

Out[1]: simplejson.dumps({'foo': '<script>alert(document.cookie);</script>'})
Out[2]: '{"foo": "<script>alert(document.cookie);</script>"}'

The thing is, that there is nothing wrong with what simplejson is doing. The problem is that this little piece of json is not handled properly in IE and IE actually executes the JavaScript in the script tag regardless of the fact that it’s inside a string. This can leave an application wide open to XSS attacks. IE seems to do this for at least the text/plain mime-type.