diff options
| author | Jean Boussier <[email protected]> | 2023-04-13 19:22:29 +0200 |
|---|---|---|
| committer | Hiroshi SHIBATA <[email protected]> | 2023-12-01 16:47:06 +0900 |
| commit | 0dfeb172968cdaefca2ab828c94d3e5f44d91f8f (patch) | |
| tree | 2850662a485dd3f42068bf14ce4618d77b4b13d6 /ext/json/lib/json.rb | |
| parent | 698cb8406298ff289ba7abadf34abc3d09a07ef0 (diff) | |
Rename escape_slash in script_safe and also escape E+2028 and E+2029
It is rather common to directly interpolate JSON string inside
<script> tags in HTML as to provide configuration or parameters to a
script.
However this may lead to XSS vulnerabilities, to prevent that 3
characters need to be escaped:
- `/` (forward slash)
- `U+2028` (LINE SEPARATOR)
- `U+2029` (PARAGRAPH SEPARATOR)
The forward slash need to be escaped to prevent closing the script
tag early, and the other two are valid JSON but invalid Javascript
and can be used to break JS parsing.
Given that the intent of escaping forward slash is the same than escaping
U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash`
option.
Diffstat (limited to 'ext/json/lib/json.rb')
| -rw-r--r-- | ext/json/lib/json.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/ext/json/lib/json.rb b/ext/json/lib/json.rb index 1e64bfcb1a..807488ffef 100644 --- a/ext/json/lib/json.rb +++ b/ext/json/lib/json.rb @@ -285,6 +285,15 @@ require 'json/common' # # Raises JSON::NestingError (nesting of 2 is too deep): # JSON.generate(obj, max_nesting: 2) # +# ====== Escaping Options +# +# Options +script_safe+ (boolean) specifies wether <tt>'\u2028'</tt>, <tt>'\u2029'</tt> +# and <tt>'/'</tt> should be escaped as to make the JSON object safe to interpolate in script +# tags. +# +# Options +ascii_only+ (boolean) specifies wether all characters outside the ASCII range +# should be escaped. +# # ====== Output Options # # The default formatting options generate the most compact |