Quotes inside <script> elements get forcibly entity-escaped

[julik]

At the moment the interception forcibly converts all quotes inside the content of script elements into " entities. The following ERB:

<script type="application/json" id="timeline-data"><%== JSON.generate({hello: "world"}) %></script>

gets output like so with normal ERB:

<script type="application/json" id="timeline-data">{"hello":"world"}</script>

but with Reactionview intercepts the render is:

<script type="application/json" id="timeline-data">{&quot;hello&quot;:&quot;world&quot;}</script>

which predictably wrecks any downstream parsing. I've done a test with <script>alert(&quot;hello&quot;)</script> and that is obviously not working, so browsers don't decode those entities.

If this is done for security I would strongly urge to reconsider this approach.

[marcoroth]

Hey @julik, can you confirm you are running on the latest version of both Herb and ReActionView. We fixed a similar issue in #12. Thank you! 🙏🏼

[skatkov]

@marcoroth version that we're running is:

reactionview (0.2.1)
      actionview (>= 7.0)
      herb (>= 0.8.0, < 1.0.0)

[marcoroth]

Thanks @skatkov! I'll check if I can reproduce the issue! 🙏🏼