diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-15 15:23:01 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-16 17:27:48 -0300 |
| commit | 193b76cbf0c44443f025625b04293e920d5e449e (patch) | |
| tree | 37ad68aae4d99335f78e4e22271722e1e68e94ac /activesupport/lib/active_support/json | |
| parent | af01f45f068ea382257090ec8a3aa2579e56dbdc (diff) | |
| download | rails-193b76cbf0c44443f025625b04293e920d5e449e.tar.gz rails-193b76cbf0c44443f025625b04293e920d5e449e.tar.bz2 rails-193b76cbf0c44443f025625b04293e920d5e449e.zip | |
Escape HTML entities in JSON keys
Fixes CVE-2015-3226
Diffstat (limited to 'activesupport/lib/active_support/json')
| -rw-r--r-- | activesupport/lib/active_support/json/encoding.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/json/encoding.rb b/activesupport/lib/active_support/json/encoding.rb index 48f4967892..031c5e9339 100644 --- a/activesupport/lib/active_support/json/encoding.rb +++ b/activesupport/lib/active_support/json/encoding.rb @@ -57,6 +57,10 @@ module ActiveSupport super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS end end + + def to_s + self + end end # Mark these as private so we don't leak encoding-specific constructs |