Closed Rotario closed 2 years ago
Hey @Rotario 👋 I believe this is intentional, under the hood Jbuilder.encode
uses #to_json and with Rails 4+, activesupport by default overrides #to_json escaping html entities. You can find some extra details on why here:
I think the important part here is that the output is parsable and that's not an issue 👌
This is a default I would not override, see https://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json/ 😀
That being said, if you really need to, you can by setting the config.active_support.escape_html_entities_in_json config false
.
Thanks for the information - I'll read up on it!
Hi, thanks for the work this is really useful! Although I can't seem to render html_safe strings out? This code runs but
Expected:
{"html": "<button>html</button>"}
Actual:
{\"html\":\"\\u003cbutton\\u003ehtml\\u003c/button\\u003e\"}
I'm running Ruby 3.1.0 and Jbuilder 2.11.5