* It monkey patches the to_json whenever activesupport is included, and silently changes the behaviour of to_json * It makes the JSON output ugly and less human readable (e.g. LogStash logs) * It assumes everything is a browser, it breaks things when it isn't (e.g. URLs with parameters) * It's not the expected behavior ( * Avoiding the escaping behavior requires the awkwardly named to_json_without_active_support_encoder method * Adds an unnecessary performance overhead * Adds an additional runtime configuration parameter, which means that any gem that uses to_json will behave differently depending on whether activesupport is included or not, and whether that parameter is enabled or not. * Escapes using regex which might be a source of subtle security issues * It's similar to PHP's infamous magic_quotes_gpc
Recommendations: * In Rails 4.2 disable escape_html_entities_in_json by default, and deprecate it * Remove it from Rails 5.0 -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
