Skip to content

Commit 2d62ec4

Browse files
byrootbyroot
committed
Fix the BEWARE documentation in load and unsafe_load.
1 parent d5e4a6e commit 2d62ec4

File tree

1 file changed

+14
-7
lines changed

1 file changed

+14
-7
lines changed

lib/json/common.rb

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -411,6 +411,10 @@ class << self
411411
#
412412
# Returns the Ruby objects created by parsing the given +source+.
413413
#
414+
# BEWARE: This method is meant to serialise data from trusted user input,
415+
# like from your own database server or clients under your control, it could
416+
# be dangerous to allow untrusted users to pass JSON sources into it.
417+
#
414418
# - Argument +source+ must be, or be convertible to, a \String:
415419
# - If +source+ responds to instance method +to_str+,
416420
# <tt>source.to_str</tt> becomes the source.
@@ -425,9 +429,6 @@ class << self
425429
# - Argument +proc+, if given, must be a \Proc that accepts one argument.
426430
# It will be called recursively with each result (depth-first order).
427431
# See details below.
428-
# BEWARE: This method is meant to serialise data from trusted user input,
429-
# like from your own database server or clients under your control, it could
430-
# be dangerous to allow untrusted users to pass JSON sources into it.
431432
# - Argument +opts+, if given, contains a \Hash of options for the parsing.
432433
# See {Parsing Options}[#module-JSON-label-Parsing+Options].
433434
# The default options can be changed via method JSON.unsafe_load_default_options=.
@@ -564,6 +565,16 @@ def unsafe_load(source, proc = nil, options = nil)
564565
#
565566
# Returns the Ruby objects created by parsing the given +source+.
566567
#
568+
# BEWARE: This method is meant to serialise data from trusted user input,
569+
# like from your own database server or clients under your control, it could
570+
# be dangerous to allow untrusted users to pass JSON sources into it.
571+
# If you must use it, use JSON.unsafe_load instead to make it clear.
572+
#
573+
# Since JSON version 2.8.0, `load` emits a deprecation warning when a
574+
# non native type is deserialized, without `create_additions` being explicitly
575+
# enabled, and in JSON version 3.0, `load` will have `create_additions` disabled
576+
# by default.
577+
#
567578
# - Argument +source+ must be, or be convertible to, a \String:
568579
# - If +source+ responds to instance method +to_str+,
569580
# <tt>source.to_str</tt> becomes the source.
@@ -578,10 +589,6 @@ def unsafe_load(source, proc = nil, options = nil)
578589
# - Argument +proc+, if given, must be a \Proc that accepts one argument.
579590
# It will be called recursively with each result (depth-first order).
580591
# See details below.
581-
# BEWARE: This method is meant to serialise data from trusted user input,
582-
# like from your own database server or clients under your control, it could
583-
# be dangerous to allow untrusted users to pass JSON sources into it.
584-
# If you must use it, use JSON.unsafe_load instead to make it clear.
585592
# - Argument +opts+, if given, contains a \Hash of options for the parsing.
586593
# See {Parsing Options}[#module-JSON-label-Parsing+Options].
587594
# The default options can be changed via method JSON.load_default_options=.

0 commit comments

Comments
 (0)