Don't escape JSON when unnecessary

When `render json:` is used in a controller, and there's no callback
option (used for JSONP), the resulting JSON document doesn't need to be
HTML-safe (no need to escape HTML entities) or embeddable into
JavaScript (no need to escape U+2028 and U+2029).

This both saves a costly operation and renders cleaner JSON.

Author: etiennebarrie

actionpack/lib/action_controller/metal/renderers.rb

@@ -153,6 +153,7 @@ def _render_to_body_with_renderer(options)
 
     add :json do |json, options|
       json_options = options.except(:callback, :content_type, :status)
+      json_options[:html_safe] ||= false unless options[:callback].present?
       json = json.to_json(json_options) unless json.kind_of?(String)
 
       if options[:callback].present?

actionpack/test/controller/render_json_test.rb

@@ -46,6 +46,14 @@ def render_json_hello_world_with_callback
       render json: ActiveSupport::JSON.encode(hello: "world"), callback: "alert"
     end
 
+    def render_json_unsafe_chars_with_callback
+      render json: { hello: "\u2028\u2029<script>" }, callback: "alert"
+    end
+
+    def render_json_unsafe_chars_without_callback
+      render json: { hello: "\u2028\u2029<script>" }
+    end
+
     def render_json_with_custom_content_type
       render json: ActiveSupport::JSON.encode(hello: "world"), content_type: "text/javascript"
     end
@@ -106,6 +114,18 @@ def test_render_json_with_callback
     assert_equal "text/javascript", @response.media_type
   end
 
+  def test_render_json_with_callback_escapes_js_chars
+    get :render_json_unsafe_chars_with_callback, xhr: true
+    assert_equal '/**/alert({"hello":"\\u2028\\u2029\\u003cscript\\u003e"})', @response.body
+    assert_equal "text/javascript", @response.media_type
+  end
+
+  def test_render_json_without_callback_does_not_escape_js_chars
+    get :render_json_unsafe_chars_without_callback
+    assert_equal %({"hello":"\u2028\u2029<script>"}), @response.body
+    assert_equal "application/json", @response.media_type
+  end
+
   def test_render_json_with_custom_content_type
     get :render_json_with_custom_content_type, xhr: true
     assert_equal '{"hello":"world"}', @response.body
@@ -137,6 +157,6 @@ def test_render_json_calls_to_json_from_object
 
   def test_render_json_avoids_view_options
     get :render_json_inspect_options
-    assert_equal '{"options":{}}', @response.body
+    assert_equal '{"options":{"html_safe":false}}', @response.body
   end
 end

activesupport/lib/active_support/json/encoding.rb

@@ -20,8 +20,8 @@ class << self
       #   ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
       #   # => "{\"team\":\"rails\",\"players\":\"36\"}"
       #
-      # Generates JSON that is safe to include in JavaScript as it escapes
-      # U+2028 (Line Separator) and U+2029 (Paragraph Separator):
+      # By default, it generates JSON that is safe to include in JavaScript, as
+      # it escapes U+2028 (Line Separator) and U+2029 (Paragraph Separator):
       #
       #   ActiveSupport::JSON.encode({ key: "\u2028" })
       #   # => "{\"key\":\"\\u2028\"}"
@@ -32,11 +32,17 @@ class << self
       #   ActiveSupport::JSON.encode({ key: "<>&" })
       #   # => "{\"key\":\"\\u003c\\u003e\\u0026\"}"
       #
-      # This can be changed with the +escape_html_entities+ option, or the
+      # This behavior can be changed with the +escape_html_entities+ option, or the
       # global escape_html_entities_in_json configuration option.
       #
       #   ActiveSupport::JSON.encode({ key: "<>&" }, escape_html_entities: false)
       #   # => "{\"key\":\"<>&\"}"
+      #
+      # For performance reasons, you can set the +html_safe+ option to false,
+      # which will skip all escaping:
+      #
+      #   ActiveSupport::JSON.encode({ key: "\u2028<>&" }, html_safe: false)
+      #   # => "{\"key\":\"\u2028<>&\"}"
       def encode(value, options = nil)
         if options.nil?
           Encoding.encode_without_options(value)
@@ -76,6 +82,8 @@ def encode(value)
           end
           json = stringify(jsonify(value))
 
+          return json unless @options.fetch(:html_safe, true)
+
           # Rails does more escaping than the JSON gem natively does (we
           # escape \u2028 and \u2029 and optionally >, <, & to work around
           # certain browser problems).
@@ -162,6 +170,8 @@ def encode(value)
 
             json = CODER.dump(value)
 
+            return json unless @options.fetch(:html_safe, true)
+
             # Rails does more escaping than the JSON gem natively does (we
             # escape \u2028 and \u2029 and optionally >, <, & to work around
             # certain browser problems).