How to deal with HTML entities in Rails to_json output?

Question

I'm writing an app that uses Rails on the backend and javascript/backbone on the frontend. I'm trying to bootstrap some rails models into my javascript. Specifically, I'd like to load the contents of @courses into a js variable called window.courses. I've got the following in an html.erb file.

<%= javascript_tag do %>
    window.courses = JSON.parse('<%= @courses.to_json %>');
<% end %>

I'm expecting the erb preprocessor to render this into valid javascript, like so

<script type="text/javascript">
//<![CDATA[
    window.courses = JSON.parse('[{"code":"myCourseCode", ...
//]]>
</script>

... but, instead, I'm getting code that includes HTML entities.

<script type="text/javascript">
//<![CDATA[
    window.courses = JSON.parse('[{&quot;code&quot;:&quot;myCourseCode&quot;, ...
//]]>
</script>

Obviously, I get javascript errors when I try to parse this.

Does anyone know how I can deal with these HTML entities in order to produce valid javascript? I realize that one option would be to unescape the entities on the client side, but this seems like a roundabout solution. Is there a way that I can get Rails to produce JSON that doesn't need unescaping?

Brilliant, thanks! I figured there must be a simple way to do this. — dB', Oct 08 '12 at 19:49
@dB' would you consider updating the accepted answer? this is very unsafe and has been the source of many cross-site scripting vulnerabilities. — oreoshake, Jul 15 '15 at 07:05

oreoshake · Accepted Answer · 2015-07-15T07:06:23.160

9

If you intend to use raw(obj.to_json) you MUST ensure the following is set.

ActiveSupport.escape_html_entities_in_json = true

edited Jul 15 '15 at 07:06

answered Feb 02 '13 at 19:56

oreoshake

4,712
1
31
38

score 5 · Answer 2 · answered Oct 08 '12 at 20:16

5

The question is solved by my comment, just for the record:

Rails escapes strings that are printed using <%= 'string' %>. By this, it is save to ouput user data. So, if you don't want Rails to escape the output, you have to tell Rails explicitly by using raw('string').

In your code, that would be: <%= raw(@courses.to_json) %>

answered Oct 08 '12 at 20:16

Raul Pinto

1,095
8
15

1

this is basically asking for xss. trivially. I've seen this hundreds of times, please don't ever use raw. – oreoshake Jan 23 '15 at 01:32
Thank you for your comment @oreoshake. Can you please point me a direction to an alternative? – Raul Pinto Jul 11 '16 at 07:56
In the answer above, I mention `ActiveSupport.escape_html_entities_in_json = true`. With that setting, and the default json backends, using <= @courses.to_json.html_safe %> is safe from xss. – oreoshake Jul 11 '16 at 18:29

How to deal with HTML entities in Rails to_json output?

2 Answers2

Linked

Related