aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport
diff options
context:
space:
mode:
authorCarlos Antonio da Silva <carlosantoniodasilva@gmail.com>2013-12-04 16:10:26 -0200
committerCarlos Antonio da Silva <carlosantoniodasilva@gmail.com>2013-12-04 16:11:43 -0200
commit556ad95b835ae80c1ba4fcb7c25c4f80e47e3dac (patch)
tree6bdc25a223300e8c6f4c3278baee05b3303bb935 /activesupport
parent033d770f25f63af5934da6f212eb0eda795b1360 (diff)
downloadrails-556ad95b835ae80c1ba4fcb7c25c4f80e47e3dac.tar.gz
rails-556ad95b835ae80c1ba4fcb7c25c4f80e47e3dac.tar.bz2
rails-556ad95b835ae80c1ba4fcb7c25c4f80e47e3dac.zip
Review json_escape docs [ci skip]
Diffstat (limited to 'activesupport')
-rw-r--r--activesupport/lib/active_support/core_ext/string/output_safety.rb44
1 files changed, 22 insertions, 22 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 23f95341f8..1b2098fc84 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -50,55 +50,55 @@ class ERB
module_function :html_escape_once
# A utility method for escaping HTML entities in JSON strings. Specifically, the
- # &, > and < characters are replaced with their equivilant unicode escaped form -
+ # &, > and < characters are replaced with their equivalent unicode escaped form -
# \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
- # escaped as then are treated as newline characters in some JavaScript engines.
- # These sequences has identical meaning as the original characters inside the
+ # escaped as they are treated as newline characters in some JavaScript engines.
+ # These sequences have identical meaning as the original characters inside the
# context of a JSON string, so assuming the input is a valid and well-formed
- # JSON value, the output will have equivilant meaning when parsed:
- #
+ # JSON value, the output will have equivalent meaning when parsed:
+ #
# json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
# # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
- #
+ #
# json_escape(json)
# # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
- #
+ #
# JSON.parse(json) == JSON.parse(json_escape(json))
# # => true
- #
+ #
# The intended use case for this method is to escape JSON strings before including
# them inside a script tag to avoid XSS vulnerability:
- #
- # <script type="application/javascript">
+ #
+ # <script>
# var currentUser = <%= json_escape current_user.to_json %>;
# </script>
- #
+ #
# WARNING: this helper only works with valid JSON. Using this on non-JSON values
# will open up serious XSS vulnerabilities. For example, if you replace the
# +current_user.to_json+ in the example above with user input instead, the browser
# will happily eval() that string as JavaScript.
- #
+ #
# The escaping performed in this method is identical to those performed in the
- # ActiveSupport JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
+ # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
# set to true. Because this transformation is idempotent, this helper can be
# applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
- #
+ #
# Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
# is enabled, or if you are unsure where your JSON string originated from, it
# is recommended that you always apply this helper (other libraries, such as the
- # JSON gem, does not provide this kind of protection by default; also some gems
- # might override +#to_json+ to bypass ActiveSupport's encoder).
- #
+ # JSON gem, do not provide this kind of protection by default; also some gems
+ # might override +to_json+ to bypass Active Support's encoder).
+ #
# The output of this helper method is marked as HTML safe so that you can directly
- # include it inside a +<script>+ tag as shown above.
- #
+ # include it inside a <tt><script></tt> tag as shown above.
+ #
# However, it is NOT safe to use the output of this inside an HTML attribute,
# because quotation marks are not escaped. Doing so might break your page's layout.
- # If you intend to use this inside an HTML attribute, you should use the
+ # If you intend to use this inside an HTML attribute, you should use the
# +html_escape+ helper (or its +h+ alias) instead:
- #
+ #
# <div data-user-info="<%= h current_user.to_json %>">...</div>
- #
+ #
def json_escape(s)
result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
s.html_safe? ? result.html_safe : result