aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2007-12-02 08:45:35 +0000
committerMichael Koziarski <michael@koziarski.com>2007-12-02 08:45:35 +0000
commit92f02adf407d6884ffea789b39f78f44b7fd3722 (patch)
tree3d363b6feb853f93c54f6faf40f294738c4de4ce /activesupport
parente7c5da6260918d770f9d7abd311337ff1cb09d60 (diff)
downloadrails-92f02adf407d6884ffea789b39f78f44b7fd3722.tar.gz
rails-92f02adf407d6884ffea789b39f78f44b7fd3722.tar.bz2
rails-92f02adf407d6884ffea789b39f78f44b7fd3722.zip
Don't escape forward slashes with String#to_json, our unicode encoding of < and > prevent the XSS problems. [tpope] Closes #10273
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8255 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'activesupport')
-rw-r--r--activesupport/lib/active_support/json/encoders/string.rb5
-rw-r--r--activesupport/test/json/encoding_test.rb2
2 files changed, 3 insertions, 4 deletions
diff --git a/activesupport/lib/active_support/json/encoders/string.rb b/activesupport/lib/active_support/json/encoders/string.rb
index ca74436802..28f1190662 100644
--- a/activesupport/lib/active_support/json/encoders/string.rb
+++ b/activesupport/lib/active_support/json/encoders/string.rb
@@ -11,8 +11,7 @@ module ActiveSupport
'\\' => '\\\\',
'>' => '\u003E',
'<' => '\u003C',
- '&' => '\u0026',
- '/' => '\\/'
+ '&' => '\u0026'
}
end
end
@@ -20,7 +19,7 @@ end
class String
def to_json(options = nil) #:nodoc:
- '"' + gsub(/[\010\f\n\r\t"\\><&\/]/) { |s|
+ '"' + gsub(/[\010\f\n\r\t"\\><&]/) { |s|
ActiveSupport::JSON::Encoding::ESCAPED_CHARS[s]
}.gsub(/([\xC0-\xDF][\x80-\xBF]|
[\xE0-\xEF][\x80-\xBF]{2}|
diff --git a/activesupport/test/json/encoding_test.rb b/activesupport/test/json/encoding_test.rb
index 888bf126dd..bf1b9893cb 100644
--- a/activesupport/test/json/encoding_test.rb
+++ b/activesupport/test/json/encoding_test.rb
@@ -15,7 +15,7 @@ class TestJSONEncoding < Test::Unit::TestCase
StringTests = [[ 'this is the <string>', %("this is the \\u003Cstring\\u003E")],
[ 'a "string" with quotes & an ampersand', %("a \\"string\\" with quotes \\u0026 an ampersand") ],
- [ 'http://test.host/posts/1', %("http:\\/\\/test.host\\/posts\\/1")]]
+ [ 'http://test.host/posts/1', %("http://test.host/posts/1")]]
ArrayTests = [[ ['a', 'b', 'c'], %([\"a\", \"b\", \"c\"]) ],
[ [1, 'a', :b, nil, false], %([1, \"a\", \"b\", null, false]) ]]