Please sign in to comment.
Replace JSON.load with JSON.parse, also removed the proc parameter
Since we are dealing with untrusted user input, we should not be using JSON.load. According to the docs: BEWARE: This method is meant to serialise data from trusted user input, like from your own database server or clients under your control, it could be dangerous to allow untrusted users to pass JSON sources into it. The default options for the parser can be changed via the ::load_default_options method.  http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load
- Loading branch information...
Showing with 16 additions and 3 deletions.