difference with clojure.contrib.json on backslash escaping

[mpenet]

Hello,

clojure.contrib.json escapes backslashes by default, even though it is not a standard feature Jackson supports this as well through http://jackson.codehaus.org/1.9.0/javadoc/org/codehaus/jackson/JsonParser.Feature.html#ALLOW_BACKSLASH_ESCAPING_ANY_CHARACTER

Here is an example that illustrates the issue:

(use 'cheshire.core)
user> (generate-string "<script>explodes</script>")
"\"<script>explodes</script>\""

(use 'clojure.contrib.json)
(json-str "<script>explodes</script>")
"\"<script>explodes<\\/script>\""

Most of the time the default jackson behavior is fine, but if your json is embedded in an html page, in a script tag and it contains an HTML tag (like script, </script> unescaped, it will be parsed as the closing tag of the script container before the real one), this can cause some headaches.

A possible solution would be to enable this feature by default, matching json-str behavior.

What do you think about this?

[dakrone]

This sounds good, at the least I'll work on making the option configurable so either way can be specified.

[dakrone]

Okay, I've release 2.1.0 which has hooks to allow setting any of the custom Jackson options.

However, I don't think the ALLOW_BACKSLASH_ESCAPING_ANY_CHARACTER behaves like you would like it to, it allows for a different set of escaped characters to be passed in, not auto-escaping things.

As a workaround for your case, I would recommend a replaceAll on the string:

user=> (use 'cheshire.core)
nil
user=> (.replaceAll (generate-string "<script>explodes</script>") "\\/" "\\\\/")
"\"<script>explodes<\\/script>\"

[mpenet]

Thanks for the changes.

I did something quite similar to your example in the end, it is necessary only in some rare exceptions so I wasn t so sure about making this a default anymore.