to_json should be html_safe!

NZKoz / rails_xss

A plugin for rails 2.3.5 applications which switches the default to escape by default. Later versions should use rails/rails_xss

MIT License

215 stars 39 forks source link

to_json should be html_safe! #14

Closed ghazel closed 14 years ago

ghazel commented 14 years ago

<% javascript_tag do %>
  var foo = <%= "foo".to_json %>;
<% end %>

produces:

var foo = &quot;foo&quot;;

in the javascript tag.

I believe all json is html safe, no? json escapes: '&' => '\u0026', '>' => '\u003E', '<' => '\u003C'. Although I suppose there should be .json_safe? etc, just marking it as html_safe! would avoid this bug.

NZKoz commented 14 years ago

This is a mixing of concerns / an MVC violation, the strings returned by to_json shouldn't know anything about the existence of the rails_xss output buffers or how they work.

If you want this to work you'll have to do:

<% javascript_tag do %>
  var foo = <%= raw "foo".to_json %>;
<% end %>

NZKoz commented 14 years ago

This is expected behaviour