search

dewski / json_builder

Rails provides an excellent XML Builder by default to build RSS and ATOM feeds, but nothing to help you build complex and custom JSON data structures. JSON Builder is here to help.
http://garrettbjerkhoel.com/json_builder/
MIT License
244 stars 52 forks source link

JS_ESCAPE_MAP is incomplete and causes invalid JSON output #41

Open scomma opened 11 years ago

scomma commented 11 years ago

There are a bunch of control characters which users routinely enter such as "\v", "\f", "\u0003" and even "\b" which json_builder fails to escape resulting in an invalid output that both JSON.parse and browsers' JSON library choke on.

[413] pry(main)> "\n".to_json
=> "\"\\n\""
[414] pry(main)> "\n".to_builder
=> "\"\\n\""
[415] pry(main)> "\b".to_json
=> "\"\\b\""
[416] pry(main)> "\b".to_builder
=> "\"\b\""
[417] pry(main)> JSON.parse '{"x": %s}' % _
JSON::ParserError: 757: unexpected token at '{"x": "}'
from /Users/alpha/.rbenv/versions/1.9.3-p362/lib/ruby/gems/1.9.1/gems/json-1.7.7/lib/json/common.rb:155:in `parse'

Right now our only workaround is to sanitize user input.