Added \u2028 \u2029 to json_escape
This commit is contained in:
parent
c229c7a39c
commit
2c564cdbdb
|
@ -1,4 +1,7 @@
|
|||
* Fixed a long-standing bug in `json_escape` that causes quotation marks to be stripped.
|
||||
This method also escapes the \u2028 and \u2029 unicode newline characters which are
|
||||
treated as \n in JavaScript. This matches the behaviour of the AS::JSON encoder. (The
|
||||
original change in the encoder was introduced in #10534.)
|
||||
|
||||
*Godfrey Chan*
|
||||
|
||||
|
|
|
@ -33,7 +33,8 @@ class ErbUtilTest < ActiveSupport::TestCase
|
|||
['"&"', '"\u0026"'],
|
||||
['"</script>"', '"\u003c/script\u003e"'],
|
||||
['["</script>"]', '["\u003c/script\u003e"]'],
|
||||
['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}']
|
||||
['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}'],
|
||||
[%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}']
|
||||
]
|
||||
|
||||
def test_html_escape
|
||||
|
|
|
@ -4,9 +4,9 @@ require 'active_support/core_ext/kernel/singleton_class'
|
|||
class ERB
|
||||
module Util
|
||||
HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' }
|
||||
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c' }
|
||||
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
|
||||
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
|
||||
JSON_ESCAPE_REGEXP = /[&><]/
|
||||
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
|
||||
|
||||
# A utility method for escaping HTML tag characters.
|
||||
# This method is also aliased as <tt>h</tt>.
|
||||
|
@ -50,9 +50,11 @@ class ERB
|
|||
|
||||
# A utility method for escaping HTML entities in JSON strings. Specifically, the
|
||||
# &, > and < characters are replaced with their equivilant unicode escaped form -
|
||||
# \u0026, \u003e, and \u003c. These sequences has identical meaning as the original
|
||||
# characters inside the context of a JSON string, so assuming the input is a valid
|
||||
# and well-formed JSON value, the output will have equivilant meaning when parsed:
|
||||
# \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
|
||||
# escaped as then are treated as newline characters in some JavaScript engines.
|
||||
# These sequences has identical meaning as the original characters inside the
|
||||
# context of a JSON string, so assuming the input is a valid and well-formed
|
||||
# JSON value, the output will have equivilant meaning when parsed:
|
||||
#
|
||||
# json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
|
||||
# # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
|
||||
|
|
Loading…
Reference in New Issue