Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify behavior of json_escape #13646

Merged
merged 1 commit into from Jan 13, 2014
Merged

Clarify behavior of json_escape #13646

merged 1 commit into from Jan 13, 2014

Conversation

jenseng
Copy link
Contributor

@jenseng jenseng commented Jan 9, 2014

The behavior of json_escape was fixed in 2f1c578, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).

@chancancode
Copy link
Member

Given the intense use case, this seems to make sense, but I'll delegate to other s on the sec team to decide. 

cc @NZKoz also

Sent from Mailbox for iPhone

On Wed, Jan 8, 2014 at 8:48 PM, Jon Jensen notifications@github.com
wrote:

The escaping behavior of json_escape was fixed in #13073, but you still have to raw the return value in order to avoid the dreaded "s blowing up your javascript. That conflicts with an explicit doc change in the very same commit, and was most likely an oversight.
This commit essentially reverts 0b02284, and also always flags the result as html-safe. Per the docs, you should not put the raw result of json_escape in an HTML attribute, as double-quotes are left as-is and can break your layout.
/cc @chancancode @jeremy @tenderlove
You can merge this Pull Request by running:
git pull https://github.com/jenseng/rails json_escape
Or you can view, comment on it, or merge it online at:
#13646
-- Commit Summary --

@chancancode
Copy link
Member

intended*—
Sent from Mailbox for iPhone

On Wed, Jan 8, 2014 at 8:48 PM, Jon Jensen notifications@github.com
wrote:

The escaping behavior of json_escape was fixed in #13073, but you still have to raw the return value in order to avoid the dreaded "s blowing up your javascript. That conflicts with an explicit doc change in the very same commit, and was most likely an oversight.
This commit essentially reverts 0b02284, and also always flags the result as html-safe. Per the docs, you should not put the raw result of json_escape in an HTML attribute, as double-quotes are left as-is and can break your layout.
/cc @chancancode @jeremy @tenderlove
You can merge this Pull Request by running:
git pull https://github.com/jenseng/rails json_escape
Or you can view, comment on it, or merge it online at:
#13646
-- Commit Summary --

@NZKoz
Copy link
Member

NZKoz commented Jan 9, 2014

I dunno, my first instinct is that if the value isn't actually safe for insertion in attributes, it should not be returned html safe. It's not a huge problem for users to call raw, but it is a huge problem if someone accidentally gets themselves pwnt.

@rafaelfranca
Copy link
Member

I agree with @NZKoz. I'm seeing in the horizon a security report because of this change.

@chancancode
Copy link
Member

👍 I can see the argument for leaning towards the safer side. Let's update the docs then? @jenseng can you do that?

@jenseng
Copy link
Contributor Author

jenseng commented Jan 9, 2014

Sure thing, I'll amend the PR.

As an aside, it would be nice if there were a concept of the current html context in ERB (attr vs <script> vs other) and corresponding levels/types of html-safety, but I could see that being pretty gnarly to implement :-/

@ghost ghost assigned chancancode Jan 9, 2014
@jenseng
Clarify behavior of json_escape, update examples
7ce6840 
The behavior of json_escape was fixed in 2f1c578, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).
@jenseng
Copy link
Contributor Author

jenseng commented Jan 10, 2014

On a related note, should we go ahead and make the return value never be html-safe? It seems weird to preserve the html-safety from the input string. Like, what exactly would an html-safe JSON input to this be? And if your JSON string is already legitimately html-safe, why would you pass it into json_escape?

I guess I'm having a hard time understanding the rationale behind this old commit.

It lets you do stuff like <%= json_escape(user.to_json.html_safe) %>, but that seems a little wonky.

@jenseng
Copy link
Contributor Author

jenseng commented Jan 12, 2014

Do I need to worry about the build failures? Looks database/travis related, which seems unlikely to be due to this simple doc change.

chancancode added a commit that referenced this pull request Jan 13, 2014
@chancancode
Merge pull request #13646 from jenseng/json_escape
2b4ed72 
Clarify behavior of json_escape [ci skip]
@chancancode chancancode merged commit 2b4ed72 into rails:master Jan 13, 2014
@chancancode
Copy link
Member

Thanks! For the future, please add [ci skip] to doc changes :)

@jenseng
Copy link
Contributor Author

jenseng commented Jan 13, 2014

Awesome, will do. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@chancancode chancancode

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jenseng @chancancode @NZKoz @rafaelfranca