New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify behavior of json_escape #13646
Conversation
Given the intense use case, this seems to make sense, but I'll delegate to other s on the sec team to decide. cc @NZKoz also On Wed, Jan 8, 2014 at 8:48 PM, Jon Jensen notifications@github.com
|
intended*— On Wed, Jan 8, 2014 at 8:48 PM, Jon Jensen notifications@github.com
|
I dunno, my first instinct is that if the value isn't actually safe for insertion in attributes, it should not be returned html safe. It's not a huge problem for users to call raw, but it is a huge problem if someone accidentally gets themselves pwnt. |
I agree with @NZKoz. I'm seeing in the horizon a security report because of this change. |
👍 I can see the argument for leaning towards the safer side. Let's update the docs then? @jenseng can you do that? |
Sure thing, I'll amend the PR. As an aside, it would be nice if there were a concept of the current html context in ERB (attr vs <script> vs other) and corresponding levels/types of html-safety, but I could see that being pretty gnarly to implement :-/ |
The behavior of json_escape was fixed in 2f1c578, but the doc changes and example in that commit incorrectly indicated that the return value would be html-safe. Since quotation marks are preserved, the raw value is not safe to use in other contexts (specifically HTML attributes).
On a related note, should we go ahead and make the return value never be html-safe? It seems weird to preserve the html-safety from the input string. Like, what exactly would an html-safe JSON input to this be? And if your JSON string is already legitimately html-safe, why would you pass it into I guess I'm having a hard time understanding the rationale behind this old commit. It lets you do stuff like |
Do I need to worry about the build failures? Looks database/travis related, which seems unlikely to be due to this simple doc change. |
Clarify behavior of json_escape [ci skip]
Thanks! For the future, please add |
Awesome, will do. Thanks again! |
The behavior of json_escape was fixed in 2f1c578, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).