Secure JSON.stringify for injecting into HTML's `<script>` tag.
npm install html-safe-jsonSecure JSON.stringify for injecting into HTML's ",
};
const endpoint = (req, res) => {
const html =
;
res.send(html);
};
`Demos
If you want to see a difference between
and bare JSON.stringify in action you can clone repository of
this project, install dependencies and run yarn start:dev script.Then open
127.0.0.1:1337 in your browser for demos.Alert message is expected - it demonstrates that JSON.stringify is unsafe, while
html-safe-json is safe.Bonus knowledge / other solutions
Next.js uses (as of v2) [htmlescape][2] library to secure data before embedding into HTML. It's more aggressive and
encodes every
< and > characters thus automatically resolves most of the issues. html-safe-json saves both output
bytes and processing power (it's faster by ~36%) by replacing only what is needed.Benchmark run steps:
- install deps
-
yarn start:benchmark> html-safe-json is faster by 277 ms (586ms vs 863ms in total) difference: 38 %
Benchmark currently stringifies a string, this is intentional - comparing converting object to string is useless,
because both libs uses
MIT
[1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
[2]: https://github.com/zertosh/htmlescape
[3]: https://v8.dev/features/subsume-json
[4]: https://mathiasbynens.be/notes/etago#recommendations
[5]: https://github.com/OWASP/json-sanitizer