aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport
diff options
context:
space:
mode:
authorGodfrey Chan <godfreykfc@gmail.com>2013-12-04 09:43:42 -0800
committerGodfrey Chan <godfreykfc@gmail.com>2013-12-04 09:43:42 -0800
commit2c564cdbdbe62c319e65abb3631b288f11878987 (patch)
treec7357a1edc72576f4981b2060e8e1b6bcaab667e /activesupport
parentc229c7a39c2704e0b5c19c2b4d5edb16ecdcef7f (diff)
downloadrails-2c564cdbdbe62c319e65abb3631b288f11878987.tar.gz
rails-2c564cdbdbe62c319e65abb3631b288f11878987.tar.bz2
rails-2c564cdbdbe62c319e65abb3631b288f11878987.zip
Added \u2028 \u2029 to json_escape
Diffstat (limited to 'activesupport')
-rw-r--r--activesupport/lib/active_support/core_ext/string/output_safety.rb12
1 files changed, 7 insertions, 5 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 0e07e5952f..1d23998b88 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -4,9 +4,9 @@ require 'active_support/core_ext/kernel/singleton_class'
class ERB
module Util
HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
- JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c' }
+ JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
- JSON_ESCAPE_REGEXP = /[&><]/
+ JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
@@ -50,9 +50,11 @@ class ERB
# A utility method for escaping HTML entities in JSON strings. Specifically, the
# &, > and < characters are replaced with their equivilant unicode escaped form -
- # \u0026, \u003e, and \u003c. These sequences has identical meaning as the original
- # characters inside the context of a JSON string, so assuming the input is a valid
- # and well-formed JSON value, the output will have equivilant meaning when parsed:
+ # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
+ # escaped as then are treated as newline characters in some JavaScript engines.
+ # These sequences has identical meaning as the original characters inside the
+ # context of a JSON string, so assuming the input is a valid and well-formed
+ # JSON value, the output will have equivilant meaning when parsed:
#
# json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
# # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"