diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-02-06 14:49:32 -0200 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-02-06 14:49:32 -0200 |
| commit | de9313ce7c310adc75f4bb22e2fab125b538e620 (patch) | |
| tree | 8b3334f9bcbcec5885b08e6aba7c99e7ef89d198 /activesupport | |
| parent | 16809025fe9ed9b3d6412ba28b0c535c409e75df (diff) | |
| parent | 30639e1d107b70abc338bc786943db1d88d31e0d (diff) | |
| download | rails-de9313ce7c310adc75f4bb22e2fab125b538e620.tar.gz rails-de9313ce7c310adc75f4bb22e2fab125b538e620.tar.bz2 rails-de9313ce7c310adc75f4bb22e2fab125b538e620.zip | |
Merge pull request #14028 from uberllama/json_escape_comments
Amended json_escape comments
Diffstat (limited to 'activesupport')
| -rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index ba8d4acd6d..ff5712ed5d 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -85,6 +85,11 @@ class ERB # automatically flag the result as HTML safe, since the raw value is unsafe to # use inside HTML attributes. # + # If your JSON is being used downstream for insertion into the DOM, be aware of + # whether or not it is being inserted via +html()+. Most JQuery plugins do this. + # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated + # content returned by your JSON. + # # If you need to output JSON elsewhere in your HTML, you can just do something # like this, as any unsafe characters (including quotation marks) will be # automatically escaped for you: |