How to safely embed JSON with </script> in HTML document?

ruby-on-rails json ruby-on-rails-3 html-parsing

Your code using just @tags.to_json works in rails3, if you enable it with:

   ActiveSupport.escape_html_entities_in_json = true

Otherwise, your other option is this:

   var tags_list = <%= raw @tags.to_json.gsub("</", "<\\/") %>;

This saves the client having to parse the whole thing through $

ruby-on-rails json ruby-on-rails-3 html-parsing

The proper way in 2019 is to wrap obj.to_json with json_escape function. json_escape is directly intended for escaping specific HTML symbols inside JSON strings. Example below from the documentation:

json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})# => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"json_escape(json)# => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"JSON.parse(json) == JSON.parse(json_escape(json))# => true

It seems this page appears on top of Google Search results, that's why I decided to provide a comment with an update :)

ruby-on-rails json ruby-on-rails-3 html-parsing

btw, this works but is not a good solution in my opinion:

<script type="text/javascript" charset="utf-8">  //<![CDATA[  var tags_list = <%=raw @tags.to_json.gsub('/', '\/') %>;  // ]]></script>

CodeHunter

How to safely embed JSON with </script> in HTML document?

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last