Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added option to do entity encoding #187

Merged
merged 1 commit into from Jul 27, 2018
Merged

Added option to do entity encoding #187

merged 1 commit into from Jul 27, 2018

Conversation

eileencodes
Copy link
Collaborator

@eileencodes eileencodes commented Jul 20, 2018
edited by tenderlove

This adds a feature to support entity encoding to escape characters that
can be used XSS attacks. This is to match the behavior in
ActiveSupport::JSON. The purpose of matching AS::JSON behavior is so we
can replace it with Yajl so we can use the faster version.

Worked on this with @tenderlove to add the same support we have in ActiveSupport::JSON

cc/ @rafaelfranca @jeremy
cc/ @brianmario

@rafaelfranca
Copy link

Should we also take care of the /? https://github.com/flori/json/pull/235/files

@tenderlove
Copy link
Collaborator

Should we also take care of the /?

Ah, yes we should

tenderlove
tenderlove reviewed Jul 23, 2018
View reviewed changes
ext/yajl/yajl_encode.c Outdated
@@ -76,10 +82,39 @@ yajl_string_encode2(const yajl_print_t print,
case '\b': escaped = "\\b"; break;
case '\t': escaped = "\\t"; break;
case '/':
if (htmlSafe) {
if (htmlSafe == 1) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets change this to htmlSafe == 1 || htmlSafe == 2 to address @rafaelfranca's comment

@eileencodes @tenderlove
Added option to do entity encoding
8d0a552 
This adds a feature to support entity encoding to escape characters that
can be used XSS attacks. This is to match the behavior in
ActiveSupport::JSON. The purpose of matching AS::JSON behavior is so we
can replace it with Yajl so we can use the faster version.

Co-authored-by: Aaron Patterson <aaron.patterson@gmail.com>
@eileencodes
Copy link
Collaborator Author

I added support for encoding slashes and force pushed 👍

@brianmario
Copy link
Owner

Thanks @eileencodes and @tenderlove!

@brianmario brianmario merged commit 4a0fb0b into brianmario:master Jul 27, 2018
@eileencodes eileencodes deleted the escape-entities branch July 27, 2018 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tenderlove tenderlove tenderlove left review comments

@rafaelfranca rafaelfranca rafaelfranca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@eileencodes @rafaelfranca @tenderlove @brianmario