#6025 render :json don't escape htmlentities. - Ruby on Rails - rails

This project is archived and is in readonly mode.

#6025 ✓stale

render :json don't escape htmlentities.

Reported by Tohru Hashimoto | November 21st, 2010 @ 07:00 AM

XSS happend by IE6 and IE7.

app/controllers/json_controller.rb

class JsonController < ApplicationController
  def index
    xss = "<script>alert('hoge')</script>"
    render :json => {:a => xss }
  end
end

config/routes.rb

RenderJsonXss::Application.routes.draw do
  root :to => 'json#index'
end

and access to http://localhost:3000/.html with IE6 or IE7.
response:

{"a":"<script>alert('hoge')</script>"}

I think render :json should escape htmlentities.

Comments and changes to this ticket

You flagged this item as spam.
Andrés Mejía November 21st, 2010 @ 03:04 PM
-1 on this.

Why would you directly access an action that renders JSON in the first place?

I don't really see how could this be used for an XSS attack. Mind explaining?

And if you really want to escape the content, you can use:
```
    render :json => {:a => CGI::escape(xss) }
```
But I don't see any reason for this to be the default behavior.
rails February 22nd, 2011 @ 12:00 AM
- State changed from “new” to “open”
This issue has been automatically marked as stale because it has not been commented on for at least three months.

The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.
rails February 22nd, 2011 @ 12:00 AM
- State changed from “open” to “stale”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Pages

↓↑ dragHome
↓↑ dragSource Style
↓↑ dragTicket Guidelines
↓↑ dragContributing to Rails
↓↑ dragTicket Assignment