Don't escape JSON when unnecessary

etiennebarrie · byroot · byroot · commit 1ba4664ee548 · 2025-03-27T08:47:23.000+01:00
When `render json:` is used in a controller, and there's no callback
option (used for JSONP), the resulting JSON document doesn't need to be
HTML-safe (no need to escape HTML entities) or embeddable into
JavaScript (no need to escape U+2028 and U+2029).

This both saves a costly operation and renders cleaner JSON.

Co-authored-by: Jean Boussier &lt;jean.boussier@gmail.com&gt;
diff --git a/actionpack/lib/action_controller/metal/renderers.rb b/actionpack/lib/action_controller/metal/renderers.rb
@@ -153,6 +153,7 @@ def _render_to_body_with_renderer(options)
 
     add :json do |json, options|
       json_options = options.except(:callback, :content_type, :status)
+      json_options[:escape] ||= false unless options[:callback].present?
       json = json.to_json(json_options) unless json.kind_of?(String)
 
       if options[:callback].present?
diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb
@@ -46,6 +46,14 @@ def render_json_hello_world_with_callback
       render json: ActiveSupport::JSON.encode(hello: "world"), callback: "alert"
     end
 
+    def render_json_unsafe_chars_with_callback
+      render json: { hello: "\u2028\u2029<script>" }, callback: "alert"
+    end
+
+    def render_json_unsafe_chars_without_callback
+      render json: { hello: "\u2028\u2029<script>" }
+    end
+
     def render_json_with_custom_content_type
       render json: ActiveSupport::JSON.encode(hello: "world"), content_type: "text/javascript"
     end
@@ -106,6 +114,18 @@ def test_render_json_with_callback
     assert_equal "text/javascript", @response.media_type
   end
 
+  def test_render_json_with_callback_escapes_js_chars
+    get :render_json_unsafe_chars_with_callback, xhr: true
+    assert_equal '/**/alert({"hello":"\\u2028\\u2029\\u003cscript\\u003e"})', @response.body
+    assert_equal "text/javascript", @response.media_type
+  end
+
+  def test_render_json_without_callback_does_not_escape_js_chars
+    get :render_json_unsafe_chars_without_callback
+    assert_equal %({"hello":"\u2028\u2029<script>"}), @response.body
+    assert_equal "application/json", @response.media_type
+  end
+
   def test_render_json_with_custom_content_type
     get :render_json_with_custom_content_type, xhr: true
     assert_equal '{"hello":"world"}', @response.body
@@ -137,6 +157,6 @@ def test_render_json_calls_to_json_from_object
 
   def test_render_json_avoids_view_options
     get :render_json_inspect_options
-    assert_equal '{"options":{}}', @response.body
+    assert_equal '{"options":{"escape":false}}', @response.body
   end
 end
