Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
2b4ed722
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
2b4ed722
编写于
1月 12, 2014
作者:
G
Godfrey Chan
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #13646 from jenseng/json_escape
Clarify behavior of json_escape [ci skip]
上级
c0577eb5
7ce68406
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
12 addition
and
12 deletion
+12
-12
activesupport/lib/active_support/core_ext/string/output_safety.rb
...pport/lib/active_support/core_ext/string/output_safety.rb
+12
-12
未找到文件。
activesupport/lib/active_support/core_ext/string/output_safety.rb
浏览文件 @
2b4ed722
...
...
@@ -70,9 +70,20 @@ def html_escape_once(s)
# them inside a script tag to avoid XSS vulnerability:
#
# <script>
# var currentUser = <%=
json_escape current_user.to_json
%>;
# var currentUser = <%=
raw json_escape(current_user.to_json)
%>;
# </script>
#
# It is necessary to +raw+ the result of +json_escape+, so that quotation marks
# don't get converted to <tt>"</tt> entities. +json_escape+ doesn't
# automatically flag the result as HTML safe, since the raw value is unsafe to
# use inside HTML attributes.
#
# If you need to output JSON elsewhere in your HTML, you can just do something
# like this, as any unsafe characters (including quotation marks) will be
# automatically escaped for you:
#
# <div data-user-info="<%= current_user.to_json %>">...</div>
#
# WARNING: this helper only works with valid JSON. Using this on non-JSON values
# will open up serious XSS vulnerabilities. For example, if you replace the
# +current_user.to_json+ in the example above with user input instead, the browser
...
...
@@ -88,17 +99,6 @@ def html_escape_once(s)
# is recommended that you always apply this helper (other libraries, such as the
# JSON gem, do not provide this kind of protection by default; also some gems
# might override +to_json+ to bypass Active Support's encoder).
#
# The output of this helper method is marked as HTML safe so that you can directly
# include it inside a <tt><script></tt> tag as shown above.
#
# However, it is NOT safe to use the output of this inside an HTML attribute,
# because quotation marks are not escaped. Doing so might break your page's layout.
# If you intend to use this inside an HTML attribute, you should use the
# +html_escape+ helper (or its +h+ alias) instead:
#
# <div data-user-info="<%= h current_user.to_json %>">...</div>
#
def
json_escape
(
s
)
result
=
s
.
to_s
.
gsub
(
JSON_ESCAPE_REGEXP
,
JSON_ESCAPE
)
s
.
html_safe?
?
result
.
html_safe
:
result
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录