File: //usr/local/rvm/gems/default/doc/activesupport-6.1.4.1/ri/ERB/Util/json_escape-c.ri
��U:�RDoc::AnyMethod[�i�I"�json_escape�:�ETI"�ERB::Util::json_escape�;�TT:�publico:�RDoc::Markup::Document�:�@parts[�o:�RDoc::Markup::Paragraph�; [�I"TA utility method for escaping HTML entities in JSON strings. Specifically, the �;�TI"U&, > and < characters are replaced with their equivalent unicode escaped form - �;�TI"R\u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also �;�TI"Sescaped as they are treated as newline characters in some JavaScript engines. �;�TI"RThese sequences have identical meaning as the original characters inside the �;�TI"Pcontext of a JSON string, so assuming the input is a valid and well-formed �;�TI"EJSON value, the output will have equivalent meaning when parsed:�;�To:�RDoc::Markup::BlankLine�o:�RDoc::Markup::Verbatim�; [
I"Rjson = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
�;�TI"G# => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
�;�TI"�
�;�TI"�json_escape(json)
�;�TI"k# => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
�;�TI"�
�;�TI"7JSON.parse(json) == JSON.parse(json_escape(json))
�;�TI"�# => true
�;�T:�@format0o;
�; [�I"VThe intended use case for this method is to escape JSON strings before including �;�TI"9them inside a script tag to avoid XSS vulnerability:�;�T@�o;��; [�I"�<script>
�;�TI"G var currentUser = <%= raw json_escape(current_user.to_json) %>;
�;�TI"�</script>
�;�T;
0o;
�; [ I"SIt is necessary to +raw+ the result of +json_escape+, so that quotation marks �;�TI"Ldon't get converted to <tt>"</tt> entities. +json_escape+ doesn't �;�TI"Rautomatically flag the result as HTML safe, since the raw value is unsafe to �;�TI" use inside HTML attributes.�;�T@�o;
�; [ I"SIf your JSON is being used downstream for insertion into the DOM, be aware of �;�TI"[whether or not it is being inserted via <tt>html()</tt>. Most jQuery plugins do this. �;�TI"TIf that is the case, be sure to +html_escape+ or +sanitize+ any user-generated �;�TI"#content returned by your JSON.�;�T@�o;
�; [�I"RIf you need to output JSON elsewhere in your HTML, you can just do something �;�TI"Mlike this, as any unsafe characters (including quotation marks) will be �;�TI"#automatically escaped for you:�;�T@�o;��; [�I"A<div data-user-info="<%= current_user.to_json %>">...</div>
�;�T;
0o;
�; [ I"TWARNING: this helper only works with valid JSON. Using this on non-JSON values �;�TI"Owill open up serious XSS vulnerabilities. For example, if you replace the �;�TI"V+current_user.to_json+ in the example above with user input instead, the browser �;�TI"3will happily eval() that string as JavaScript.�;�T@�o;
�; [ I"RThe escaping performed in this method is identical to those performed in the �;�TI"VActive Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is �;�TI"Pset to true. Because this transformation is idempotent, this helper can be �;�TI"Rapplied even if +ActiveSupport.escape_html_entities_in_json+ is already true.�;�T@�o;
�; [
I"TTherefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+ �;�TI"Qis enabled, or if you are unsure where your JSON string originated from, it �;�TI"Tis recommended that you always apply this helper (other libraries, such as the �;�TI"QJSON gem, do not provide this kind of protection by default; also some gems �;�TI"Bmight override +to_json+ to bypass Active Support's encoder).�;�T:
@fileI"8lib/active_support/core_ext/string/output_safety.rb�;�T:0@omit_headings_from_table_of_contents_below000[�I"�(s)�;�T@OFI" Util�;�Tc�RDoc::NormalModule00