Merge pull request #14028 from uberllama/json_escape_comments

Amended json_escape comments
2015-02-06 14:49:32 -02:00 · 2015-02-06 14:49:32 -02:00 · de9313ce7c
commit de9313ce7c
parent 16809025fe 30639e1d10
1 changed files with 5 additions and 0 deletions
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@ -85,6 +85,11 @@ def html_escape_once(s)
    # automatically flag the result as HTML safe, since the raw value is unsafe to
    # use inside HTML attributes.
    #
+    # If your JSON is being used downstream for insertion into the DOM, be aware of
+    # whether or not it is being inserted via +html()+. Most JQuery plugins do this.
+    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
+    # content returned by your JSON.
+    #
    # If you need to output JSON elsewhere in your HTML, you can just do something
    # like this, as any unsafe characters (including quotation marks) will be
    # automatically escaped for you: