Provide a more useful definition of json_escape

The previous definition removed double quote characters, and hence returned invalid JSON, making it unsuitable for the most common use case: bootstrapping JSON in a <script> element. The original definition was at 0ff7a2d, without indication that the double quote behavior was intentional. It seems likely that it was simply an oversight after copy and pasting the definition of html_escape. Furthermore, since json_escape does not return a HTML-safe string if not passed one, it is unnecessary for it to escape characters other than the slash.
jfirebaugh · Apr 30, 2012 · 59e04d8 · 59e04d8
1 parent 69c2307
commit 59e04d8
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 20 deletions.
diff --git a/actionpack/test/template/erb_util_test.rb b/actionpack/test/template/erb_util_test.rb
@@ -8,12 +8,10 @@ class ErbUtilTest < ActiveSupport::TestCase
     define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
       assert_equal expected, html_escape(given)
     end
+  end
 
-    unless given == '"'
-      define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
-        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
-      end
-    end
+  def test_json_escape_escapes_slashes
+    assert_equal '<\/script>', json_escape('</script>')
   end
 
   def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -4,9 +4,7 @@
 class ERB
   module Util
     HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
-    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
     HTML_ESCAPE_ONCE_REGEXP = /[\"><]|&(?!([a-zA-Z]+|(#\d+));)/
-    JSON_ESCAPE_REGEXP = /[&"><]/
 
     # A utility method for escaping HTML tag characters.
     # This method is also aliased as <tt>h</tt>.
@@ -50,25 +48,25 @@ def html_escape_once(s)
 
     module_function :html_escape_once
 
-    # A utility method for escaping HTML entities in JSON strings
-    # using \uXXXX JavaScript escape sequences for string literals:
+    # A utility method for escaping JSON strings such that they
+    # cannot contain text that unintentionally closes a <script>
+    # element (a potential XSS vector).
     #
-    #   json_escape('is a > 0 & a < 10?')
-    #   # => is a \u003E 0 \u0026 a \u003C 10?
+    # This method is aliased as +j+, and available as a helper
+    # in Rails templates.
     #
-    # Note that after this operation is performed the output is not
-    # valid JSON. In particular double quotes are removed:
+    #   <script>
+    #     var data = <%=j @data.to_json.html_safe %>;
+    #   </script>
     #
-    #   json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
-    #   # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}
+    # If @data is +"</script>"+, the output is:
     #
-    # This method is also aliased as +j+, and available as a helper
-    # in Rails templates:
-    #
-    #   <%=j @person.to_json %>
+    #   <script>
+    #     var data = "<\/script>";
+    #   </script>
     #
     def json_escape(s)
-      result = s.to_s.gsub(JSON_ESCAPE_REGEXP) { |special| JSON_ESCAPE[special] }
+      result = s.to_s.gsub('/', '\/')
       s.html_safe? ? result.html_safe : result
     end