2 files changed, 6 insertions, 3 deletions

diff --git a/base/json/string_escape.cc b/base/json/string_escape.cc
index 5bf0b86..0b12439 100644
--- a/base/json/string_escape.cc
+++ b/base/json/string_escape.cc
@@ -58,9 +58,10 @@ void JsonDoubleQuoteT(const STR& str,
   for (typename STR::const_iterator it = str.begin(); it != str.end(); ++it) {
     typename ToUnsigned<typename STR::value_type>::Unsigned c = *it;
     if (!JsonSingleEscapeChar(c, dst)) {
-      if (c < 32 || c > 126) {
-        // Technically, we could also pass through c > 126 as UTF8, but this is
-        // also optional.  It would also be a pain to implement here.
+      if (c < 32 || c > 126 || c == '<' || c == '>') {
+        // 1. Escaping <, > to prevent script execution.
+        // 2. Technically, we could also pass through c > 126 as UTF8, but this
+        //    is also optional.  It would also be a pain to implement here.
         unsigned int as_uint = static_cast<unsigned int>(c);
         StringAppendF(dst, "\\u%04X", as_uint);
       } else {
diff --git a/base/json/string_escape_unittest.cc b/base/json/string_escape_unittest.cc
index 29e5a38..c550ca3 100644
--- a/base/json/string_escape_unittest.cc
+++ b/base/json/string_escape_unittest.cc
@@ -18,6 +18,7 @@ const struct json_narrow_test_data {
   {"a\b\f\n\r\t\v\1\\.\"z",
       "a\\b\\f\\n\\r\\t\\u000B\\u0001\\\\.\\\"z"},
   {"b\x0f\x7f\xf0\xff!", "b\\u000F\\u007F\\u00F0\\u00FF!"},
+  {"c<>d", "c\\u003C\\u003Ed"},
 };
 
 }  // namespace
@@ -62,6 +63,7 @@ const struct json_wide_test_data {
   {L"a\b\f\n\r\t\v\1\\.\"z",
       "a\\b\\f\\n\\r\\t\\u000B\\u0001\\\\.\\\"z"},
   {L"b\x0f\x7f\xf0\xff!", "b\\u000F\\u007F\\u00F0\\u00FF!"},
+  {L"c<>d", "c\\u003C\\u003Ed"},
 };
 
 }  // namespace