search for: json_escap

...tializers/new_rails_defaults.rb index 8ec3186..acfb93e 100644 --- a/src/config/initializers/new_rails_defaults.rb +++ b/src/config/initializers/new_rails_defaults.rb @@ -16,4 +16,8 @@ ActiveSupport.use_standard_json_time_format = true # Don't escape HTML entities in JSON, leave that for the #json_escape helper. # if you're including raw json in an HTML page. -ActiveSupport.escape_html_entities_in_json = false \ No newline at end of file +ActiveSupport.escape_html_entities_in_json = false + +def PGconn.quote_ident(name) + %("#{name}") +end -- 1.6.6.1

Hi, I''m on Rails 3.2.8 and one of my apps sends some json to create DB objects. What''s the best way to sanitize json? I found this post claiming that for json we need to escape manually since json_escape is broken: http://blog.bigbinary.com/2012/05/10/xss-and-rails.html I tried using the sanitize gem (https://github.com/rgrove/sanitize/) but when using it on a json string it returns NoMethodError (undefined method `strip'' for #<ActiveSupport::HashWithIndifferentAccess:... Later on I...

https://github.com/rails/rails/issues/12374#issuecomment-29446761 Here in discussion I proposed to deprecate JS responder because this technique is insecure and not pragmatic way to transfer data. It can be exploited in this way http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html i find this bug very often so i know what i''m talking about. With it attacker can

Note that one of the 8 patches (#6) will be sent separately in reply to this email, as some of the replaced lines are too long, so git won't let me send the email. However, there is nothing wrong with that patch, and it should be applied in the sequence listed below. Note also that I assume this will be tested on a clean f11 install, rather than an upgrade of an existing ovirt server