On Fri, Oct 17, 2014 at 2:16 PM, Shai Coleman < rubyonrails-c...@shaicoleman.com> wrote:
> * It monkey patches the to_json whenever activesupport is included, and > silently changes the behaviour of to_json > * It makes the JSON output ugly and less human readable (e.g. LogStash > logs) > * It assumes everything is a browser, it breaks things when it isn't (e.g. > URLs with parameters) > * It's not the expected behavior ( > * Avoiding the escaping behavior requires the awkwardly named > to_json_without_active_support_encoder method > * Adds an unnecessary performance overhead > * Adds an additional runtime configuration parameter, which means that any > gem that uses to_json will behave differently depending on whether > activesupport is included or not, and whether that parameter is enabled or > not. > * Escapes using regex which might be a source of subtle security issues > * It's similar to PHP's infamous magic_quotes_gpc > > Recommendations: > * In Rails 4.2 disable escape_html_entities_in_json by default, and > deprecate it > * Remove it from Rails 5.0 > The options is confusingly named, the values aren't escaped they're just encoded in an alternative and perfectly valid way. Outside of some visual clutter when eyeballing JSON values, they have identical semantic meaning. If you have code which is breaking with this turned on, it's not a valid JSON parser. If this option isn't implemented it's simply not possible to safely include JSON in HTML views without introducing a helper which essentially repeats the exact same logic, or dumping strings and parsing them manually client side. -- Cheers Koz -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
