From 30639e1d107b70abc338bc786943db1d88d31e0d Mon Sep 17 00:00:00 2001
From: Yuval Kordov <uberllama@gmail.com>
Date: Wed, 12 Feb 2014 08:22:13 -0700
Subject: Amended json_escape comment to clarify that user-generated content
 must still be html_escaped if being inserted ingot he DOM via JQuery's html()
 method.

---
 activesupport/lib/active_support/core_ext/string/output_safety.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'activesupport')

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index eb02b6a442..1f9a953d93 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -78,6 +78,11 @@ class ERB
     # automatically flag the result as HTML safe, since the raw value is unsafe to
     # use inside HTML attributes.
     #
+    # If your JSON is being used downstream for insertion into the DOM, be aware of
+    # whether or not it is being inserted via +html()+. Most JQuery plugins do this.
+    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
+    # content returned by your JSON.
+    #
     # If you need to output JSON elsewhere in your HTML, you can just do something
     # like this, as any unsafe characters (including quotation marks) will be
     # automatically escaped for you:
-- 
cgit v1.2.3