Assume `to_json` to be safe in Rails 4

lib/brakeman/checks/check_cross_site_scripting.rb

@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
 
         json_escape_on = true
+    elsif version_between? "4.0.0", "5.0.0"
+      json_escape_on = true
     end
 
     if !json_escape_on or version_between? "0.0.0", "2.0.99"