From 92f02adf407d6884ffea789b39f78f44b7fd3722 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Sun, 2 Dec 2007 08:45:35 +0000 Subject: Don't escape forward slashes with String#to_json, our unicode encoding of < and > prevent the XSS problems. [tpope] Closes #10273 git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8255 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/test/template/javascript_helper_test.rb | 8 ++++---- actionpack/test/template/prototype_helper_test.rb | 20 ++++++++++---------- .../lib/active_support/json/encoders/string.rb | 5 ++--- activesupport/test/json/encoding_test.rb | 2 +- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/actionpack/test/template/javascript_helper_test.rb b/actionpack/test/template/javascript_helper_test.rb index 1fabe80ba7..0d44e96f84 100644 --- a/actionpack/test/template/javascript_helper_test.rb +++ b/actionpack/test/template/javascript_helper_test.rb @@ -38,14 +38,14 @@ class JavaScriptHelperTest < Test::Unit::TestCase html = link_to_function( "Greet me!" ) do |page| page.replace_html 'header', "

Greetings

" end - assert_dom_equal %(Greet me!), html + assert_dom_equal %(Greet me!), html end def test_link_to_function_with_rjs_block_and_options html = link_to_function( "Greet me!", :class => "updater" ) do |page| page.replace_html 'header', "

Greetings

" end - assert_dom_equal %(Greet me!), html + assert_dom_equal %(Greet me!), html end def test_link_to_function_with_href @@ -67,14 +67,14 @@ class JavaScriptHelperTest < Test::Unit::TestCase html = button_to_function( "Greet me!" ) do |page| page.replace_html 'header', "

Greetings

" end - assert_dom_equal %(), html + assert_dom_equal %(), html end def test_button_to_function_with_rjs_block_and_options html = button_to_function( "Greet me!", :class => "greeter" ) do |page| page.replace_html 'header', "

Greetings

" end - assert_dom_equal %(), html + assert_dom_equal %(), html end def test_button_to_function_with_onclick diff --git a/actionpack/test/template/prototype_helper_test.rb b/actionpack/test/template/prototype_helper_test.rb index 6caf67810c..3978722419 100644 --- a/actionpack/test/template/prototype_helper_test.rb +++ b/actionpack/test/template/prototype_helper_test.rb @@ -303,23 +303,23 @@ class JavaScriptGeneratorTest < Test::Unit::TestCase end def test_insert_html_with_string - assert_equal 'new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");', + assert_equal 'new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");', @generator.insert_html(:top, 'element', '

This is a test

') - assert_equal 'new Insertion.Bottom("element", "\\u003Cp\u003EThis is a test\\u003C\\/p\u003E");', + assert_equal 'new Insertion.Bottom("element", "\\u003Cp\u003EThis is a test\\u003C/p\u003E");', @generator.insert_html(:bottom, 'element', '

This is a test

') - assert_equal 'new Insertion.Before("element", "\\u003Cp\u003EThis is a test\\u003C\\/p\u003E");', + assert_equal 'new Insertion.Before("element", "\\u003Cp\u003EThis is a test\\u003C/p\u003E");', @generator.insert_html(:before, 'element', '

This is a test

') - assert_equal 'new Insertion.After("element", "\\u003Cp\u003EThis is a test\\u003C\\/p\u003E");', + assert_equal 'new Insertion.After("element", "\\u003Cp\u003EThis is a test\\u003C/p\u003E");', @generator.insert_html(:after, 'element', '

This is a test

') end def test_replace_html_with_string - assert_equal 'Element.update("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E");', + assert_equal 'Element.update("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E");', @generator.replace_html('element', '

This is a test

') end def test_replace_element_with_string - assert_equal 'Element.replace("element", "\\u003Cdiv id=\"element\"\\u003E\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E\\u003C\\/div\\u003E");', + assert_equal 'Element.replace("element", "\\u003Cdiv id=\"element\"\\u003E\\u003Cp\\u003EThis is a test\\u003C/p\\u003E\\u003C/div\\u003E");', @generator.replace('element', '

This is a test

') end @@ -356,7 +356,7 @@ class JavaScriptGeneratorTest < Test::Unit::TestCase end def test_redirect_to - assert_equal 'window.location.href = "http:\\/\\/www.example.com\\/welcome";', + assert_equal 'window.location.href = "http://www.example.com/welcome";', @generator.redirect_to(:action => 'welcome') end @@ -375,10 +375,10 @@ class JavaScriptGeneratorTest < Test::Unit::TestCase @generator.replace_html('baz', '

This is a test

') assert_equal <<-EOS.chomp, @generator.to_s -new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E"); -new Insertion.Bottom("element", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E"); +new Insertion.Top("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E"); +new Insertion.Bottom("element", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E"); ["foo", "bar"].each(Element.remove); -Element.update("baz", "\\u003Cp\\u003EThis is a test\\u003C\\/p\\u003E"); +Element.update("baz", "\\u003Cp\\u003EThis is a test\\u003C/p\\u003E"); EOS end diff --git a/activesupport/lib/active_support/json/encoders/string.rb b/activesupport/lib/active_support/json/encoders/string.rb index ca74436802..28f1190662 100644 --- a/activesupport/lib/active_support/json/encoders/string.rb +++ b/activesupport/lib/active_support/json/encoders/string.rb @@ -11,8 +11,7 @@ module ActiveSupport '\\' => '\\\\', '>' => '\u003E', '<' => '\u003C', - '&' => '\u0026', - '/' => '\\/' + '&' => '\u0026' } end end @@ -20,7 +19,7 @@ end class String def to_json(options = nil) #:nodoc: - '"' + gsub(/[\010\f\n\r\t"\\><&\/]/) { |s| + '"' + gsub(/[\010\f\n\r\t"\\><&]/) { |s| ActiveSupport::JSON::Encoding::ESCAPED_CHARS[s] }.gsub(/([\xC0-\xDF][\x80-\xBF]| [\xE0-\xEF][\x80-\xBF]{2}| diff --git a/activesupport/test/json/encoding_test.rb b/activesupport/test/json/encoding_test.rb index 888bf126dd..bf1b9893cb 100644 --- a/activesupport/test/json/encoding_test.rb +++ b/activesupport/test/json/encoding_test.rb @@ -15,7 +15,7 @@ class TestJSONEncoding < Test::Unit::TestCase StringTests = [[ 'this is the ', %("this is the \\u003Cstring\\u003E")], [ 'a "string" with quotes & an ampersand', %("a \\"string\\" with quotes \\u0026 an ampersand") ], - [ 'http://test.host/posts/1', %("http:\\/\\/test.host\\/posts\\/1")]] + [ 'http://test.host/posts/1', %("http://test.host/posts/1")]] ArrayTests = [[ ['a', 'b', 'c'], %([\"a\", \"b\", \"c\"]) ], [ [1, 'a', :b, nil, false], %([1, \"a\", \"b\", null, false]) ]] -- cgit v1.2.3