diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-15 15:23:01 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-16 17:27:48 -0300 |
| commit | 193b76cbf0c44443f025625b04293e920d5e449e (patch) | |
| tree | 37ad68aae4d99335f78e4e22271722e1e68e94ac /activesupport/test | |
| parent | af01f45f068ea382257090ec8a3aa2579e56dbdc (diff) | |
| download | rails-193b76cbf0c44443f025625b04293e920d5e449e.tar.gz rails-193b76cbf0c44443f025625b04293e920d5e449e.tar.bz2 rails-193b76cbf0c44443f025625b04293e920d5e449e.zip | |
Escape HTML entities in JSON keys
Fixes CVE-2015-3226
Diffstat (limited to 'activesupport/test')
| -rw-r--r-- | activesupport/test/json/encoding_test.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/activesupport/test/json/encoding_test.rb b/activesupport/test/json/encoding_test.rb index 2f269a66f0..ee47b97a8a 100644 --- a/activesupport/test/json/encoding_test.rb +++ b/activesupport/test/json/encoding_test.rb @@ -147,6 +147,13 @@ class TestJSONEncoding < ActiveSupport::TestCase assert_equal %({\"a\":\"b\",\"c\":\"d\"}), sorted_json(ActiveSupport::JSON.encode(:a => :b, :c => :d)) end + def test_hash_keys_encoding + ActiveSupport.escape_html_entities_in_json = true + assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}", ActiveSupport::JSON.encode("<>" => "<>") + ensure + ActiveSupport.escape_html_entities_in_json = false + end + def test_utf8_string_encoded_properly result = ActiveSupport::JSON.encode('€2.99') assert_equal '"€2.99"', result |