Provide a more useful definition of json_escape #6094

jfirebaugh · 2012-04-30T20:30:58Z

The existing definition removes double quote characters, and hence returns invalid JSON, making it unsuitable for the most common use case: bootstrapping JSON within a <script> element.

I am unaware of any use cases satisfied by the current behavior, which was previously discussed on lighthouse without coming to a satisfactory resolution. The original commit at 0ff7a2d does not indicate that the double quote behavior was intentional. It seems likely that it was simply an oversight after copy and pasting the definition of html_escape.

Since Rails does not make it easy to correctly escape bootstrapped JSON, incorrect and insecure methods are widespread and incorrectly recommended: 1, 2, 3. This change, together with community education, would alleviate the situation.

It's worth discussion whether json_escape should always return HTML-safe strings, such that it can be used without explicitly calling html_safe:

<script>
  var data = <%=j @data.to_json %>;
</script>

Also related is the discussion of the other j helper at #3578.

The previous definition removed double quote characters, and hence returned invalid JSON, making it unsuitable for the most common use case: bootstrapping JSON in a <script> element. The original definition was at 0ff7a2d, without indication that the double quote behavior was intentional. It seems likely that it was simply an oversight after copy and pasting the definition of html_escape. Furthermore, since json_escape does not return a HTML-safe string if not passed one, it is unnecessary for it to escape characters other than the slash.

colszowka · 2012-05-09T06:07:50Z

+1

rapind · 2012-06-21T16:30:31Z

+1

anbotero · 2012-08-08T02:59:21Z

+1

ay · 2012-09-02T11:25:50Z

+1

moll · 2012-09-08T14:55:30Z

So, what's the state with this? The current escape_json is one freaky bastard.

steveklabnik · 2012-09-08T15:30:13Z

The current state is 'nobody from core has reviewed it.'

steveklabnik · 2012-11-17T13:09:55Z

This needs a rebase.

parndt · 2013-02-26T21:00:38Z

@jfirebaugh are you able to rebase this so that it can be reviewed? Looks like a useful change 👍

conzett · 2013-03-13T03:43:17Z

+1

nertzy · 2013-04-06T01:17:10Z

+1, I've often worried about </script> leaking in via user input. It's much better to know how to address this.

lidaobing · 2013-04-18T10:07:28Z

-1

the widely used $("#form").html("<%= j render(:partial => ....) %>") no longer works

gabetax · 2013-04-18T14:41:46Z

@lidaobing The already-merged #3578 removed the j alias to json_escape, and leaves it pointing to escape_javascript, which the docs say is for your use case. I don't think this change should affect your cited use case.

lidaobing · 2013-04-19T01:59:00Z

@gabetax got it, thanks

Hebo · 2013-06-04T18:50:42Z

+1, ran into this issue, and it would be great for Rails to have a way of handling this.

gerwitz · 2013-06-16T13:29:09Z

+1

MCodyB · 2014-02-05T19:56:28Z

I'm not sure if this is the right place but I thought I should point out that the rubydocs don't reflect this change
JSON_ESCAPE_REGEXP = /[&"><]/

instead of the new regex

JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u

Similarly it's still
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }

instead of the new

JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }

http://rubydoc.info/docs/rails/ERB/Util#json_escape-class_method
http://api.rubyonrails.org/classes/ERB/Util.html

chancancode · 2014-02-05T19:58:17Z

This is only fixed on master (and 4.1.beta1), you can see it on
http://edgeapi.rubyonrails.org/classes/ERB/Util.html

On Wed, Feb 5, 2014 at 11:56 AM, MCodyB notifications@github.com wrote:

I'm not sure if this is the right place but I thought I should point out
that the rubydocs don't reflect this change
JSON_ESCAPE_REGEXP = /[&"><]/

instead of the new regex

JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u

Similarly it's still
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }

instead of the new

JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c',
"\u2028" => '\u2028', "\u2029" => '\u2029' }

http://rubydoc.info/docs/rails/ERB/Util#json_escape-class_method
http://api.rubyonrails.org/classes/ERB/Util.html

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/6094#issuecomment-34230671
.

jfirebaugh mentioned this pull request Apr 30, 2012

Remove j alias for ERB::Util.json_escape #3578

Merged

Empact mentioned this pull request Jul 21, 2013

Rebase #6094 "Provide a more useful definition of json_escape" and update docs. #11526

Closed

chancancode mentioned this pull request Nov 28, 2013

Fixed json_escape (again) #13073

Merged

rafaelfranca closed this Dec 4, 2013

ankane mentioned this pull request Jul 11, 2015

Javascript breaks in queries/show ankane/blazer#18

Closed

Provide a more useful definition of json_escape #6094

Provide a more useful definition of json_escape #6094

Uh oh!

Conversation

jfirebaugh commented Apr 30, 2012

Uh oh!

colszowka commented May 9, 2012

Uh oh!

rapind commented Jun 21, 2012

Uh oh!

anbotero commented Aug 8, 2012

Uh oh!

ay commented Sep 2, 2012

Uh oh!

moll commented Sep 8, 2012

Uh oh!

steveklabnik commented Sep 8, 2012

Uh oh!

steveklabnik commented Nov 17, 2012

Uh oh!

parndt commented Feb 26, 2013

Uh oh!

conzett commented Mar 13, 2013

Uh oh!

nertzy commented Apr 6, 2013

Uh oh!

lidaobing commented Apr 18, 2013

Uh oh!

gabetax commented Apr 18, 2013

Uh oh!

lidaobing commented Apr 19, 2013

Uh oh!

Hebo commented Jun 4, 2013

Uh oh!

gerwitz commented Jun 16, 2013

Uh oh!

MCodyB commented Feb 5, 2014

Uh oh!

chancancode commented Feb 5, 2014

Uh oh!

Uh oh!