diff options
author | Michael Koziarski <michael@koziarski.com> | 2007-12-02 08:45:35 +0000 |
---|---|---|
committer | Michael Koziarski <michael@koziarski.com> | 2007-12-02 08:45:35 +0000 |
commit | 92f02adf407d6884ffea789b39f78f44b7fd3722 (patch) | |
tree | 3d363b6feb853f93c54f6faf40f294738c4de4ce /activesupport/lib/active_support/json | |
parent | e7c5da6260918d770f9d7abd311337ff1cb09d60 (diff) | |
download | rails-92f02adf407d6884ffea789b39f78f44b7fd3722.tar.gz rails-92f02adf407d6884ffea789b39f78f44b7fd3722.tar.bz2 rails-92f02adf407d6884ffea789b39f78f44b7fd3722.zip |
Don't escape forward slashes with String#to_json, our unicode encoding of < and > prevent the XSS problems. [tpope] Closes #10273
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8255 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'activesupport/lib/active_support/json')
-rw-r--r-- | activesupport/lib/active_support/json/encoders/string.rb | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/activesupport/lib/active_support/json/encoders/string.rb b/activesupport/lib/active_support/json/encoders/string.rb index ca74436802..28f1190662 100644 --- a/activesupport/lib/active_support/json/encoders/string.rb +++ b/activesupport/lib/active_support/json/encoders/string.rb @@ -11,8 +11,7 @@ module ActiveSupport '\\' => '\\\\', '>' => '\u003E', '<' => '\u003C', - '&' => '\u0026', - '/' => '\\/' + '&' => '\u0026' } end end @@ -20,7 +19,7 @@ end class String def to_json(options = nil) #:nodoc: - '"' + gsub(/[\010\f\n\r\t"\\><&\/]/) { |s| + '"' + gsub(/[\010\f\n\r\t"\\><&]/) { |s| ActiveSupport::JSON::Encoding::ESCAPED_CHARS[s] }.gsub(/([\xC0-\xDF][\x80-\xBF]| [\xE0-\xEF][\x80-\xBF]{2}| |