Provide a more useful definition of json_escape #6094

Closed
wants to merge 1 commit into
from

Projects

None yet
@jfirebaugh
Contributor

The existing definition removes double quote characters, and hence returns invalid JSON, making it unsuitable for the most common use case: bootstrapping JSON within a <script> element.

I am unaware of any use cases satisfied by the current behavior, which was previously discussed on lighthouse without coming to a satisfactory resolution. The original commit at 0ff7a2d does not indicate that the double quote behavior was intentional. It seems likely that it was simply an oversight after copy and pasting the definition of html_escape.

Since Rails does not make it easy to correctly escape bootstrapped JSON, incorrect and insecure methods are widespread and incorrectly recommended: 1, 2, 3. This change, together with community education, would alleviate the situation.

It's worth discussion whether json_escape should always return HTML-safe strings, such that it can be used without explicitly calling html_safe:

<script>
  var data = <%=j @data.to_json %>;
</script>

Also related is the discussion of the other j helper at #3578.

@jfirebaugh jfirebaugh Provide a more useful definition of json_escape
The previous definition removed double quote characters,
and hence returned invalid JSON, making it unsuitable
for the most common use case: bootstrapping JSON in
a <script> element.

The original definition was at 0ff7a2d,
without indication that the double quote behavior was intentional.
It seems likely that it was simply an oversight after
copy and pasting the definition of html_escape.

Furthermore, since json_escape does not return a HTML-safe
string if not passed one, it is unnecessary for it to escape
characters other than the slash.
59e04d8
@colszowka

+1

@rapind
rapind commented Jun 21, 2012

+1

@anbotero
Contributor
anbotero commented Aug 8, 2012

+1

@ay
Contributor
ay commented Sep 2, 2012

+1

@moll
moll commented Sep 8, 2012

So, what's the state with this? The current escape_json is one freaky bastard.

@steveklabnik
Member

The current state is 'nobody from core has reviewed it.'

@steveklabnik
Member

This needs a rebase.

@parndt
Contributor
parndt commented Feb 26, 2013

@jfirebaugh are you able to rebase this so that it can be reviewed? Looks like a useful change 👍

@conzett
conzett commented Mar 13, 2013

+1

@nertzy
Contributor
nertzy commented Apr 6, 2013

+1, I've often worried about </script> leaking in via user input. It's much better to know how to address this.

@lidaobing

-1

the widely used $("#form").html("<%= j render(:partial => ....) %>") no longer works

@gabetax
gabetax commented Apr 18, 2013

@lidaobing The already-merged #3578 removed the j alias to json_escape, and leaves it pointing to escape_javascript, which the docs say is for your use case. I don't think this change should affect your cited use case.

@lidaobing

@gabetax got it, thanks

@Hebo
Hebo commented Jun 4, 2013

+1, ran into this issue, and it would be great for Rails to have a way of handling this.

@gerwitz
gerwitz commented Jun 16, 2013

+1

@MCodyB
MCodyB commented Feb 5, 2014

I'm not sure if this is the right place but I thought I should point out that the rubydocs don't reflect this change
JSON_ESCAPE_REGEXP = /[&"><]/

instead of the new regex

JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u

Similarly it's still
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }

instead of the new

JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }

http://rubydoc.info/docs/rails/ERB/Util#json_escape-class_method
http://api.rubyonrails.org/classes/ERB/Util.html

@chancancode
Member

This is only fixed on master (and 4.1.beta1), you can see it on
http://edgeapi.rubyonrails.org/classes/ERB/Util.html

On Wed, Feb 5, 2014 at 11:56 AM, MCodyB notifications@github.com wrote:

I'm not sure if this is the right place but I thought I should point out
that the rubydocs don't reflect this change
JSON_ESCAPE_REGEXP = /[&"><]/

instead of the new regex

JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u

Similarly it's still
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }

instead of the new

JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c',
"\u2028" => '\u2028', "\u2029" => '\u2029' }

http://rubydoc.info/docs/rails/ERB/Util#json_escape-class_method
http://api.rubyonrails.org/classes/ERB/Util.html


Reply to this email directly or view it on GitHubhttps://github.com/rails/rails/pull/6094#issuecomment-34230671
.

@ankane ankane referenced this pull request in ankane/blazer Jul 11, 2015
Closed

Javascript breaks in queries/show #18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment