JS_ESCAPE_MAP is incomplete and causes invalid JSON output

Question

JS_ESCAPE_MAP is incomplete and causes invalid JSON output

Opened this issue 11 years ago · 0 comments

There are a bunch of control characters which users routinely enter such as "\v", "\f", "\u0003" and even "\b" which json_builder fails to escape resulting in an invalid output that both JSON.parse and browsers' JSON library choke on.

[413] pry(main)> "\n".to_json
=> "\"\\n\""
[414] pry(main)> "\n".to_builder
=> "\"\\n\""
[415] pry(main)> "\b".to_json
=> "\"\\b\""
[416] pry(main)> "\b".to_builder
=> "\"\b\""
[417] pry(main)> JSON.parse '{"x": %s}' % _
JSON::ParserError: 757: unexpected token at '{"x": "}'
from /Users/alpha/.rbenv/versions/1.9.3-p362/lib/ruby/gems/1.9.1/gems/json-1.7.7/lib/json/common.rb:155:in `parse'

Right now our only workaround is to sanitize user input.