diff options
author | Godfrey Chan <godfreykfc@gmail.com> | 2013-09-11 16:52:58 -0700 |
---|---|---|
committer | Godfrey Chan <godfreykfc@gmail.com> | 2013-09-11 17:22:09 -0700 |
commit | b9e142af529b20720fc34bc5f563e935a7ef7cda (patch) | |
tree | 484352775f7f0ba7b23ef57a45c66143a7e27448 /activesupport/lib/active_support/json | |
parent | 3d60e9d5503b5f657336a8b7ee6345552ddb6c83 (diff) | |
download | rails-b9e142af529b20720fc34bc5f563e935a7ef7cda.tar.gz rails-b9e142af529b20720fc34bc5f563e935a7ef7cda.tar.bz2 rails-b9e142af529b20720fc34bc5f563e935a7ef7cda.zip |
Replace JSON.load with JSON.parse, also removed the proc parameter
Since we are dealing with untrusted user input, we should not be
using JSON.load. According to the docs[1]:
BEWARE: This method is meant to serialise data from trusted user
input, like from your own database server or clients under your
control, it could be dangerous to allow untrusted users to pass
JSON sources into it. The default options for the parser can be
changed via the ::load_default_options method.
[1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load
Diffstat (limited to 'activesupport/lib/active_support/json')
-rw-r--r-- | activesupport/lib/active_support/json/decoding.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/activesupport/lib/active_support/json/decoding.rb b/activesupport/lib/active_support/json/decoding.rb index 30833a4cb1..2533ff43e1 100644 --- a/activesupport/lib/active_support/json/decoding.rb +++ b/activesupport/lib/active_support/json/decoding.rb @@ -13,8 +13,8 @@ module ActiveSupport # # ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}") # => {"team" => "rails", "players" => "36"} - def decode(json, proc = nil, options = {}) - data = ::JSON.load(json, proc, options) + def decode(json, options = {}) + data = ::JSON.parse(json, options.merge(create_additions: false)) if ActiveSupport.parse_json_times convert_dates_from(data) else |