From 0345c975879e352a5726ff9f91258fdb3afe8525 Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Tue, 29 May 2007 09:10:36 +0000
Subject: escape <'s and >'s in JSON strings. #8371 [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6893 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 activesupport/CHANGELOG                                  | 2 ++
 activesupport/lib/active_support/json/encoders/string.rb | 6 ++++--
 activesupport/test/json/encoding_test.rb                 | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

(limited to 'activesupport')

diff --git a/activesupport/CHANGELOG b/activesupport/CHANGELOG
index e0296914fc..6e6eb1547d 100644
--- a/activesupport/CHANGELOG
+++ b/activesupport/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* escape <'s and >'s in JSON strings. #8371 [Rick]
+
 * Inflections: MatrixTest -> MatrixTests instead of MatricesTest.  #8496 [jbwiv]
 
 * Multibyte strings respond_to the String methods they proxy so they can be duck-typed.  #6549 [Tuxie]
diff --git a/activesupport/lib/active_support/json/encoders/string.rb b/activesupport/lib/active_support/json/encoders/string.rb
index 707298d987..f357262fc6 100644
--- a/activesupport/lib/active_support/json/encoders/string.rb
+++ b/activesupport/lib/active_support/json/encoders/string.rb
@@ -8,7 +8,9 @@ module ActiveSupport
         "\r" =>    '\r',
         "\t" =>    '\t',
         '"' =>     '\"',
-        '\\' =>    '\\\\'
+        '\\' =>    '\\\\',
+        ">" =>     '\076',
+        '<' =>     '\074'
       }
     end
   end
@@ -16,7 +18,7 @@ end
 
 class String
   def to_json #:nodoc:
-    '"' + gsub(/[\010\f\n\r\t"\\]/) { |s|
+    '"' + gsub(/[\010\f\n\r\t"\\><]/) { |s|
       ActiveSupport::JSON::Encoding::ESCAPED_CHARS[s]
     }.gsub(/([\xC0-\xDF][\x80-\xBF]|
              [\xE0-\xEF][\x80-\xBF]{2}|
diff --git a/activesupport/test/json/encoding_test.rb b/activesupport/test/json/encoding_test.rb
index 3c0e0bc6b2..9ed7683b86 100644
--- a/activesupport/test/json/encoding_test.rb
+++ b/activesupport/test/json/encoding_test.rb
@@ -13,7 +13,7 @@ class TestJSONEncoding < Test::Unit::TestCase
   NumericTests  = [[ 1,     %(1)     ],
                    [ 2.5,   %(2.5)   ]]
 
-  StringTests   = [[ 'this is the string',     %("this is the string")         ],
+  StringTests   = [[ 'this is the <string>',     %("this is the \\074string\\076")],
                    [ 'a "string" with quotes', %("a \\"string\\" with quotes") ]]
 
   ArrayTests    = [[ ['a', 'b', 'c'],          %([\"a\", \"b\", \"c\"])          ],
-- 
cgit v1.2.3