Currently, documented "escape_html_entities_in_json" option is not working. As well as use_standard_json_time_format and encode_big_decimal_as_string parameters for JSON Encoder.
Developer should add them to application.rb (because it is an env-independent options). At the moment additions will not impact on JSON encoder settings - the patch fixes it.
Not sure about adding it to the generator of application.rb.
escape_html_entities_in_json is a very important option though, what about only this? / @wycats @josevalim
Bonus question: Why escape_html_entities_in_json is false? It was true a while ago and everything was OK.. thanks
@homakov it's probably better to loop through the options instead of looping through the hardcoded list.
Can you fix that?
First time I did it without hardcoded array but experienced problems. sorry I cannot agree for a few reasons.
Merge pull request #6271 from homakov/patch-5
configuration for active_support and JSON Encoding
@homakov I was talking about this 45f6dcd
Thanks for your contributions and reviews :)
not bad :) It was another way that I considered. Just not a fan of "verbose" respond_to attitude. Thanks!
let me open the last pull req on the topic - still wonder can we make it true by default...
@spastorino I think your solution to the problem won't work. Since they are not tests with this pull request, it should be reviewed and hopefully some tests will be added.
@josevalim not sure if your comment is after we chatted or you still think that the fix won't work. But I've tested it on an application. Anyway agree, we need tests I was waiting for a final definition to see if we are setting this as default or not
@homakov is right here, from a security perspective there's no good reason not to default escape_html_entities_in_json to true, the values aren't escaped, just encoded differently.