Is json_encode Sufficient XSS Protection?

Question

I have a stdClass object in PHP, something like

$o = new stdClass;
$o->foo = $bar

The variable $bar contains a

Answer 1

As other answers have said; json_encode is not built for anti-xss protections. Unless you specifically encode the unsafe string (or sanitize properly) you're going to have a potential issue.

Furthermore, once that string is extracted from the JSON object, it is still potentially hazardous if injected into the page at any point. For example:

foo = ""; ?>
var v = 

isn't likely to execute (although you can't be certain). But if you were to do:

$('#some-element').html(v.foo);

you would absolutely encounter a vulnerability.