diff options
| author | Godfrey Chan <godfreykfc@gmail.com> | 2013-12-04 09:43:42 -0800 |
|---|---|---|
| committer | Godfrey Chan <godfreykfc@gmail.com> | 2013-12-04 09:43:42 -0800 |
| commit | 2c564cdbdbe62c319e65abb3631b288f11878987 (patch) | |
| tree | c7357a1edc72576f4981b2060e8e1b6bcaab667e /activesupport | |
| parent | c229c7a39c2704e0b5c19c2b4d5edb16ecdcef7f (diff) | |
| download | rails-2c564cdbdbe62c319e65abb3631b288f11878987.tar.gz rails-2c564cdbdbe62c319e65abb3631b288f11878987.tar.bz2 rails-2c564cdbdbe62c319e65abb3631b288f11878987.zip | |
Added \u2028 \u2029 to json_escape
Diffstat (limited to 'activesupport')
| -rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 0e07e5952f..1d23998b88 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -4,9 +4,9 @@ require 'active_support/core_ext/kernel/singleton_class' class ERB module Util HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } - JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c' } + JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' } HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/ - JSON_ESCAPE_REGEXP = /[&><]/ + JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u # A utility method for escaping HTML tag characters. # This method is also aliased as <tt>h</tt>. @@ -50,9 +50,11 @@ class ERB # A utility method for escaping HTML entities in JSON strings. Specifically, the # &, > and < characters are replaced with their equivilant unicode escaped form - - # \u0026, \u003e, and \u003c. These sequences has identical meaning as the original - # characters inside the context of a JSON string, so assuming the input is a valid - # and well-formed JSON value, the output will have equivilant meaning when parsed: + # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also + # escaped as then are treated as newline characters in some JavaScript engines. + # These sequences has identical meaning as the original characters inside the + # context of a JSON string, so assuming the input is a valid and well-formed + # JSON value, the output will have equivilant meaning when parsed: # # json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"}) # # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}" |