> https://github.com/flori/json/pull/525
> Rename escape_slash in script_safe and also escape E+2028 and E+2029
Co-authored-by: Jean Boussier <jean.boussier@gmail.com>
> https://github.com/flori/json/pull/454
> Remove unnecessary initialization of create_id in JSON.parse()
Co-authored-by: Watson <watson1978@gmail.com>
It is rather common to directly interpolate JSON string inside
<script> tags in HTML as to provide configuration or parameters to a
script.
However this may lead to XSS vulnerabilities, to prevent that 3
characters need to be escaped:
- `/` (forward slash)
- `U+2028` (LINE SEPARATOR)
- `U+2029` (PARAGRAPH SEPARATOR)
The forward slash need to be escaped to prevent closing the script
tag early, and the other two are valid JSON but invalid Javascript
and can be used to break JS parsing.
Given that the intent of escaping forward slash is the same than escaping
U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash`
option.
Previously in the JSON::Ext parser, when we encountered an "Infinity"
token (and weren't allowing NaN/Infinity) we would try to display the
"unexpected token" at the character before.
https://github.com/flori/json/commit/42ac170712
```
[ 3463/25719] JSONGeneratorTest#test_string_ext_included_calls_super/home/chkbuild/chkbuild/tmp/build/20230905T063003Z/ruby/test/json/json_generator_test.rb:411: warning: method redefined; discarding old included
/home/chkbuild/chkbuild/tmp/build/20230905T063003Z/ruby/test/json/json_generator_test.rb:399: warning: previous definition of included was here
```
http://rubyci.s3.amazonaws.com/debian10/ruby-master/log/20230905T063003Z.log.html.gz
The C extension defines an `included` hook for the
`JSON::Ext::Generator::GeneratorMethods::String` module but neglects to
call `super` in the hook. This can break the functionality of various
other code that rely on the fact that `included` on `Module` will always
be called.
https://github.com/flori/json/commit/cd8bbe56a3
This snuck in while addding tests for the `create_additions`
feature. Caught by JRuby when we added the `limit` option to the
Date/DateTime parsing methods, which causes this to be rejected as
an unknown keyword.
https://github.com/flori/json/commit/b1007dff66
http://rubyci.s3.amazonaws.com/ubuntu/ruby-master/log/20201021T123003Z.log.html.gz
```
/home/chkbuild/chkbuild/tmp/build/20201021T123003Z/ruby/test/json/json_parser_test.rb:227: warning: ambiguous first argument; put parentheses or a space even after `-' operator
/home/chkbuild/chkbuild/tmp/build/20201021T123003Z/ruby/test/json/json_parser_test.rb:228: warning: ambiguous first argument; put parentheses or a space even after `-' operator
```
... because it conflicts with test/ruby/test_m17n.rb.
An exception `incompatible character encodings: UTF-8 and UTF-16BE`
occurs when:
* a non-existence relative path is added to $LOAD_PATH,
* ASCII-incompatible encoding is set to default_external, and
* some file is loaded.
```
$LOAD_PATH << "no_existing_dir"
Encoding.default_external = Encoding::UTF_16BE
load "dummy.rb" #=> incompatible character encodings: UTF-8 and UTF-16BE
```
This issue can be actually observed by a combination of out-of-place
build and the following command:
make test-all TESTS="json ruby/m17n -n test_object_inspect_external"
http://ci.rvm.jp/logfiles/brlog.trunk-test-random.20200322-221411
ASCII-incompatible default external encoding assumes that the cwd is the
encoding, and it is attempted to beconcatenated with a non-existence
relative LOAD_PATH UTF-8 string, which causes the exception.
This changeset avoids a relative path.
Étienne Barrié
Hiroshi SHIBATA
tompng
Takashi Kokubun
Jean Boussier
John Hawthorn
Lucas Kanashiro
Yusuke Endoh
Peter Zhu
Nobuyoshi Nakada
Ufuk Kayserilioglu
Ethan
Andrew Bromwich
Charles Oliver Nutter
Kenta Murata
Chris Seaton
Kazuhiro NISHIYAMA
Marc-Andre Lafortune
Karol Bucek
Keith Bennett