0

I'm including JSON in an HTML tag, considering the only possible input characters for the JSON will be "':{},[a-z][0-9] is it possible for JSON or HTML to be broken with my approach? What should I be wary of when using JSON across HTML and Javascript?

<input type="hidden" value="<?=htmlspecialchars(json_encode($myArray));?>" />
Improve this question
1
  • JSON allows for JS strings, which can include the HTML/SGML/XML special characters <, >, & (and " and ' if used in HTML attributes). Commented Jun 18, 2012 at 20:18

2 Answers 2

Reset to default
1

JSON can contain nearly any character in its strings. As you are using it in an attribute, escape_quotesaddslashes should be enough, that depends on your (X)HTML version. htmlspecialchars is OK anyway.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

this one? php.net/manual/en/function.addslashes.php someone said don't escape single quotes for JSON. Why wouldn't you want to do this?
You're right, thanks. You don't need to escape single quotes, only when you use them as HTML attribute delimiters...
1

in the definition of json, one of the posible values its a string. which can contain <, > among other things

you can use a base64 enconding to avoid this.

Improve this answer

2 Comments

May be a good idea to use urlsafe base64 if you base64 it. ( base64 with - instead of + and _ instead of /, optionally with padding dropped ) to avoid the text being encoded.Probably not required, but would save some space with the text.
AFAIK urlsafe its not standard, and its more complicated to get encoder/decoder. but i may be wrong

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.