> As far as I can tell the '<' and '>' characters don't actually need to > be escaped to be valid JSON, but it's done anyway in Rails since > PrototypeHelper and JavaScriptHelper depend on it, so I think we > should leave it as it is until we decouple JSON encoding from the view > helpers for generating inline JavaScript.
This was done to fix a XSS vulnerability (CVE-2007-3227). > So, back to the issue at hand, which is that the string encoder for > ActiveSupport::JSON converts "<" and ">" to '\074' and '\076', when it > should actually be encoding them as '\u003C' and '\u003E'. I assume that browsers still do the 'right' thing with those values? I'm all for valid json, but not at the expense of security ;). -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
