diff options
Diffstat (limited to 'activesupport/lib/active_support')
| -rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 23f95341f8..1b2098fc84 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -50,55 +50,55 @@ class ERB module_function :html_escape_once # A utility method for escaping HTML entities in JSON strings. Specifically, the - # &, > and < characters are replaced with their equivilant unicode escaped form - + # &, > and < characters are replaced with their equivalent unicode escaped form - # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also - # escaped as then are treated as newline characters in some JavaScript engines. - # These sequences has identical meaning as the original characters inside the + # escaped as they are treated as newline characters in some JavaScript engines. + # These sequences have identical meaning as the original characters inside the # context of a JSON string, so assuming the input is a valid and well-formed - # JSON value, the output will have equivilant meaning when parsed: - # + # JSON value, the output will have equivalent meaning when parsed: + # # json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"}) # # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}" - # + # # json_escape(json) # # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}" - # + # # JSON.parse(json) == JSON.parse(json_escape(json)) # # => true - # + # # The intended use case for this method is to escape JSON strings before including # them inside a script tag to avoid XSS vulnerability: - # - # <script type="application/javascript"> + # + # <script> # var currentUser = <%= json_escape current_user.to_json %>; # </script> - # + # # WARNING: this helper only works with valid JSON. Using this on non-JSON values # will open up serious XSS vulnerabilities. For example, if you replace the # +current_user.to_json+ in the example above with user input instead, the browser # will happily eval() that string as JavaScript. - # + # # The escaping performed in this method is identical to those performed in the - # ActiveSupport JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is + # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is # set to true. Because this transformation is idempotent, this helper can be # applied even if +ActiveSupport.escape_html_entities_in_json+ is already true. - # + # # Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+ # is enabled, or if you are unsure where your JSON string originated from, it # is recommended that you always apply this helper (other libraries, such as the - # JSON gem, does not provide this kind of protection by default; also some gems - # might override +#to_json+ to bypass ActiveSupport's encoder). - # + # JSON gem, do not provide this kind of protection by default; also some gems + # might override +to_json+ to bypass Active Support's encoder). + # # The output of this helper method is marked as HTML safe so that you can directly - # include it inside a +<script>+ tag as shown above. - # + # include it inside a <tt><script></tt> tag as shown above. + # # However, it is NOT safe to use the output of this inside an HTML attribute, # because quotation marks are not escaped. Doing so might break your page's layout. - # If you intend to use this inside an HTML attribute, you should use the + # If you intend to use this inside an HTML attribute, you should use the # +html_escape+ helper (or its +h+ alias) instead: - # + # # <div data-user-info="<%= h current_user.to_json %>">...</div> - # + # def json_escape(s) result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE) s.html_safe? ? result.html_safe : result |