Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to escape forward slash character #405

Merged
merged 1 commit into from Jul 31, 2020
Merged

Add an option to escape forward slash character #405

merged 1 commit into from Jul 31, 2020

Conversation

casperisfine
Copy link

This is a rebase of #235.

As per the spec, the forward slash should be escaped in json strings. Not escaping the forward slash causes a security issue when a json object is interpolated inside of a script tag.

For instance:

irb(main):013:0> include ActionView::Helpers::TagHelper
=> Object
irb(main):014:0> include ActionView::Helpers::JavaScriptHelper
=> Object
irb(main):015:0> puts javascript_tag 'var json='+JSON.generate({"key"=>"</script><script>whatever()//"})
<script>
//<![CDATA[
var json={"key":"</script><script>whatever()//"}
//]]>
</script>

In javascript </script> has precedence over everything else, so in this case the script tag is terminated and whatever() is executed even though it should be part of the string.

The correct way to defend against this security issue is to escape the forward slash, so that </script> does not terminate the original script tag and the json string stays a string.

@casperisfine casperisfine mentioned this pull request Jan 30, 2020
Closed
@casperisfine
Copy link
Author

@hsbt any chance this could be considered?

marcandre
marcandre suggested changes Jun 25, 2020
View reviewed changes
Copy link
Contributor

@marcandre marcandre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great PR. A few minor observations

json_pure.gemspec Outdated Show resolved Hide resolved
lib/json/pure/generator.rb Show resolved Hide resolved
lib/json/pure/generator.rb Outdated Show resolved Hide resolved
lib/json/common.rb Outdated Show resolved Hide resolved
tests/json_generator_test.rb Outdated Show resolved Hide resolved
tests/json_generator_test.rb Outdated Show resolved Hide resolved
@marcandre
Copy link
Contributor

If I'm not mistaken, the default for escape_slash is false in general, but it is true for j, jj, dump_default_options and thus JSON.generate? I don't know if that the best default.

@casperisfine
Copy link
Author

Thanks for the review. I'll update the PR soon.

@casperisfine
Copy link
Author

@marcandre all done!

@casperisfine casperisfine force-pushed the escape-slash-2.3.0 branch 2 times, most recently from 93e14ad to b386f31 Compare June 25, 2020 09:27
@casperisfine
Copy link
Author

If I'm not mistaken, the default for escape_slash is false in general, but it is true for j, jj, dump_default_options and thus JSON.generate? I don't know if that the best default.

I just pushed another commit to address this. These were leftovers from #235 which made escape_slash enabled by default, but that was deemed a compatibility breakage.

IMHO it would be preferable to enable it by default at some point, but I understand how it's better to be cautious. So let's keep it purely opt-in for now.

marcandre
marcandre approved these changes Jun 25, 2020
View reviewed changes
Copy link
Contributor

@marcandre marcandre left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job! LGTM

@marcandre marcandre mentioned this pull request Jun 25, 2020
Closed
@marcandre
Copy link
Contributor

Documentation has been greatly improved; @casperisfine could you resolve the conflicts?

@byroot
Add an option to escape forward slash character
8a18cf6 
Squashed commit of the following:

commit 26d1810
Author: Francois Chagnon <francois.chagnon@jadedpixel.com>
Date:   Tue Sep 15 21:17:34 2015 +0000

    add config options for escape_slash

commit fa28233
Author: Francois Chagnon <francois.chagnon@jadedpixel.com>
Date:   Mon Feb 9 21:09:33 2015 +0000

    add forward slash to escape character
@casperisfine
Copy link
Author

Done.

@marcandre
Copy link
Contributor

Thanks @casperisfine 👍

@hsbt thank you in advance for merging this

@casperisfine
Copy link
Author

Any news on this?

@marcandre
Copy link
Contributor

@hsbt can this be merged?

@hsbt
Copy link
Collaborator

hsbt commented Jul 31, 2020

I have no opnion about this.

@nurse Can you review this?

@nurse
Copy link
Collaborator

nurse commented Jul 31, 2020
edited

As flori said in #235 (comment), he agreed this feature if it's configurable and disabled by default. And the policy sounds reasonable for me, the release manager of Ruby 2.8/3.0. Now this PR follows the comment and it's considered as acceptable. I merge this.

@nurse nurse merged commit 8e081fb into flori:master Jul 31, 2020
This was referenced Mar 8, 2021
Merged
Closed
Open
Open
Open
Open
This was referenced Mar 15, 2021
Open
Open
Open
Open
Open
Open
Closed
Closed
Open
Closed
Open
Open
Open
Open
Closed
Merged
Closed
Merged
Open
Open
Open
Open
Open
Open
Closed
@marcandre marcandre mentioned this pull request Mar 23, 2021
Open
casperisfine pushed a commit to Shopify/oj that referenced this pull request Jun 20, 2022
@byroot
Implement :escape_mode => :slash
f9ffad0 
Similar to flori/json#405
It's a cheap way to make JSON safe to interpolate in a `<script>`
tag.
casperisfine pushed a commit to Shopify/oj that referenced this pull request Jun 20, 2022
@byroot
Implement :escape_mode => :slash
9b3d1f8 
Similar to flori/json#405
It's a cheap way to make JSON safe to interpolate in a `<script>`
tag.
@casperisfine casperisfine mentioned this pull request Jun 20, 2022
Merged
ohler55 pushed a commit to ohler55/oj that referenced this pull request Jun 20, 2022
@casperisfine @byroot
Implement :escape_mode => :slash (#777)
f1e7748 
Similar to flori/json#405
It's a cheap way to make JSON safe to interpolate in a `<script>`
tag.

Co-authored-by: Jean Boussier <jean.boussier@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcandre marcandre marcandre approved these changes

Assignees

@nurse nurse

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@casperisfine @marcandre @hsbt @nurse @byroot