Add 'json escape' option to unicode escape <, >, and & #3269
Conversation
There was a problem hiding this comment.
So I am reviewing this with the assumption that #3268 will result in the desire to add this feature, but you can wait on that discussion to fix the issue if you like :)
I would expect that res.jsonp would respect this option, if you can fix that (i.e. I would expect anywhere in Express that respects json replacer, json spaces, etc. to also honor this new json escape).
could use the char code version too
|
Added the setting to jsonp and git grep doesn't show the json options used elsewhere. Updated to use a single String.replace call that a similar change to hapijs/hoek showed as ~3x faster on the twitter.json test data. |
|
Unless there are any objections, I'm suggesting that this land in the 4.16.0 release. |
lib/response.js
Outdated
| @@ -248,6 +248,18 @@ res.json = function json(obj) { | |||
| var spaces = app.get('json spaces'); | |||
| var body = stringify(val, replacer, spaces); | |||
|
|
|||
| // escape characters that can cause old browsers to mistake json for html | |||
| if (app.get('json escape')) { | |||
| body = body.replace(/[<>&]/g, function (match) { | |||
There was a problem hiding this comment.
Please hoist regular expressions to the top of the file.
There was a problem hiding this comment.
And also since the function close not close over anything, please hoist that as well.
lib/response.js
Outdated
|
|
||
| // escape characters that can cause old browsers to mistake json for html | ||
| if (app.get('json escape')) { | ||
| body = body.replace(/[<>&\u2028\u2029]/g, function (match) { |
There was a problem hiding this comment.
Same comments as the other replace: hoist regular expression and function.
test/res.json.js
Outdated
| describe('"json escape" setting', function(){ | ||
| it('should be undefined by default', function(){ | ||
| var app = express(); | ||
| assert(undefined === app.get('json escape')); |
There was a problem hiding this comment.
I would really just say it's off by default and run through a response to validate it doesn't get escaped. That would help in case a change accidentally unconditionally escapes it.
test/res.jsonp.js
Outdated
| @@ -112,6 +112,21 @@ describe('res', function(){ | |||
| .expect(200, '{"str":"\u2028 \u2029 woot"}', done); | |||
| }); | |||
|
|
|||
| it('should escape <, >, and & when "json escape" is true', function(done){ | |||
There was a problem hiding this comment.
I think this is missing a default off test, like the res.json one :)
|
Thanks @dougwilson! I think I got all of the requested changes, but please modify the PR as necessary to get it in shape too. |
refs: #3268