dancristianb
commented
1 year ago Hey @Rotario 👋 I believe this is intentional, under the hood Jbuilder.encode uses #to_json and with Rails 4+, activesupport by default overrides #to_json escaping html entities. You can find some extra details on why here:
- https://stackoverflow.com/questions/32318261/rails-why-to-json-is-escaping-html-entities
- https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4
I think the important part here is that the output is parsable and that's not an issue 👌
This is a default I would not override, see https://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json/ 😀
That being said, if you really need to, you can by setting the config.active_support.escape_html_entities_in_json config false.
Rotario
Hi, thanks for the work this is really useful! Although I can't seem to render html_safe strings out? This code runs but
Expected:
{"html": "<button>html</button>"}Actual:
{\"html\":\"\\u003cbutton\\u003ehtml\\u003c/button\\u003e\"}I'm running Ruby 3.1.0 and Jbuilder 2.11.5