Escape HTML entities in JSON keys

Fixes CVE-2015-3226

Escape HTML entities in JSON keys
Fixes CVE-2015-3226
193b76cb · Rafael Mendonça França · af01f45f · 193b76cb · 193b76cb
Showing with 11 addition and 0 deletion

activesupport/lib/active_support/json/encoding.rb activesupport/lib/active_support/json/encoding.rb +4 -0

activesupport/test/json/encoding_test.rb activesupport/test/json/encoding_test.rb +7 -0

未找到文件。
--- a/activesupport/lib/active_support/json/encoding.rb
+++ b/activesupport/lib/active_support/json/encoding.rb
@@ -57,6 +57,10 @@ def to_json(*)
                super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS
              end
            end
+
+            def to_s
+              self
+            end
          end

          # Mark these as private so we don't leak encoding-specific constructs

--- a/activesupport/test/json/encoding_test.rb
+++ b/activesupport/test/json/encoding_test.rb
@@ -147,6 +147,13 @@ def test_hash_encoding
    assert_equal %({\"a\":\"b\",\"c\":\"d\"}), sorted_json(ActiveSupport::JSON.encode(:a => :b, :c => :d))
  end

+  def test_hash_keys_encoding
+    ActiveSupport.escape_html_entities_in_json = true
+    assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}", ActiveSupport::JSON.encode("<>" => "<>")
+  ensure
+    ActiveSupport.escape_html_entities_in_json = false
+  end
+
  def test_utf8_string_encoded_properly
    result = ActiveSupport::JSON.encode('€2.99')
    assert_equal '"€2.99"', result