New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mustache templates should escape JSON, not HTML #5473
Labels
Comments
Test case:
|
cool I will take a look at it |
s1monw
added a commit
that referenced
this issue
Mar 20, 2014
The default mustache engine was using HTML escaping which breaks queries if used with JSON etc. This commit adds escaping for: ``` \b Backspace (ascii code 08) \f Form feed (ascii code 0C) \n New line \r Carriage return \t Tab \v Vertical tab \" Double quote \\ Backslash ``` Closes #5473
s1monw
added a commit
that referenced
this issue
Mar 20, 2014
The default mustache engine was using HTML escaping which breaks queries if used with JSON etc. This commit adds escaping for: ``` \b Backspace (ascii code 08) \f Form feed (ascii code 0C) \n New line \r Carriage return \t Tab \v Vertical tab \" Double quote \\ Backslash ``` Closes #5473
MaineC
pushed a commit
to MaineC/elasticsearch
that referenced
this issue
Apr 27, 2015
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference). Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above. Relates to elastic#5473
MaineC
pushed a commit
that referenced
this issue
Apr 28, 2015
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference). Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above. Relates to #5473
MaineC
pushed a commit
that referenced
this issue
Apr 28, 2015
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference). Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above. Relates to #5473
mute
pushed a commit
to mute/elasticsearch
that referenced
this issue
Jul 29, 2015
The default mustache engine was using HTML escaping which breaks queries if used with JSON etc. This commit adds escaping for: ``` \b Backspace (ascii code 08) \f Form feed (ascii code 0C) \n New line \r Carriage return \t Tab \v Vertical tab \" Double quote \\ Backslash ``` Closes elastic#5473
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently we're using the default
escape
method from Mustache, which is intended for escaping HTML, not JSON.This results in things like
"
->"
Instead, we should be using these escapes:
The text was updated successfully, but these errors were encountered: