ruby.git/test/json, branch v3_3_11 The Ruby Programming Language Merge JSON 2.7.2 for Ruby 3.3 (#11541) 2024-09-04T15:47:06+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2024-09-04T15:47:06+00:00 4eb51dfc9e67683a1a03fdf302d5ddd95cad716a Merge JSON 2.7.2 
Merge JSON 2.7.2
 [flori/json] cosmetics 2023-12-05T03:04:11+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2023-12-05T01:41:16+00:00 84654bfbba8df0f9eb6876051f8fe62f9a423bdd https://github.com/flori/json/commit/39d6c854a4 
https://github.com/flori/json/commit/39d6c854a4
[flori/json] The modern Ruby uses utf-8 encodings by default 2023-12-05T03:04:10+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2023-12-05T01:41:01+00:00 abc3d124f79abae6ea9072fe6a3e70486c1fbe58 https://github.com/flori/json/commit/11b31210ac 
https://github.com/flori/json/commit/11b31210ac
[flori/json] Fix JSON.dump overload combination 2023-12-05T03:04:08+00:00 tompng tomoyapenguin@gmail.com 2023-12-04T10:18:14+00:00 70740deea793274f6e38a7b7fc3688aa709fd1d8 https://github.com/flori/json/commit/41c2712a3b 
https://github.com/flori/json/commit/41c2712a3b
[flori/json] Overload kwargs in JSON.dump 2023-12-05T03:04:08+00:00 Takashi Kokubun takashikkbn@gmail.com 2023-12-01T17:53:44+00:00 e6b35e8a6d70892037503d74cec2657b2b8bd116 https://github.com/flori/json/commit/936f280f9f 
https://github.com/flori/json/commit/936f280f9f
[flori/json] JSON.dump: handle unenclosed hashes regression 2023-12-05T03:04:07+00:00 Jean Boussier jean.boussier@gmail.com 2023-12-01T10:46:16+00:00 a22ed8943859963c67533bb0edc13a27bfdac00c Fix: https://github.com/flori/json/issues/553 We can never add keyword arguments to `dump` otherwise existing code using unenclosed hash will break. https://github.com/flori/json/commit/8e0076a3f2 
Fix: https://github.com/flori/json/issues/553

We can never add keyword arguments to `dump` otherwise
existing code using unenclosed hash will break.

https://github.com/flori/json/commit/8e0076a3f2
lib/helper only needs on flori/json repo 2023-12-01T07:47:06+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2023-12-01T07:46:42+00:00 7d142c08cb5b65e4ba110b116c41a8e5e3acc027 






Manually merged from flori/json
2023-12-01T07:47:06+00:00

Hiroshi SHIBATA
hsbt@ruby-lang.org

2023-12-01T06:51:26+00:00

86045fca24be94db7a9cbf7a9126e43c212dcc55

  > https://github.com/flori/json/pull/525
  > Rename escape_slash in script_safe and also escape E+2028 and E+2029

  Co-authored-by: Jean Boussier <jean.boussier@gmail.com>

  > https://github.com/flori/json/pull/454
  > Remove unnecessary initialization of create_id in JSON.parse()

  Co-authored-by: Watson <watson1978@gmail.com>





  > https://github.com/flori/json/pull/525
  > Rename escape_slash in script_safe and also escape E+2028 and E+2029

  Co-authored-by: Jean Boussier <jean.boussier@gmail.com>

  > https://github.com/flori/json/pull/454
  > Remove unnecessary initialization of create_id in JSON.parse()

  Co-authored-by: Watson <watson1978@gmail.com>







Rename escape_slash in script_safe and also escape E+2028 and E+2029
2023-12-01T07:47:06+00:00

Jean Boussier
jean.boussier@gmail.com

2023-04-13T17:22:29+00:00

0dfeb172968cdaefca2ab828c94d3e5f44d91f8f

It is rather common to directly interpolate JSON string inside
<script> tags in HTML as to provide configuration or parameters to a
script.

However this may lead to XSS vulnerabilities, to prevent that 3
characters need to be escaped:

  - `/` (forward slash)
  - `U+2028` (LINE SEPARATOR)
  - `U+2029` (PARAGRAPH SEPARATOR)

The forward slash need to be escaped to prevent closing the script
tag early, and the other two are valid JSON but invalid Javascript
and can be used to break JS parsing.

Given that the intent of escaping forward slash is the same than escaping
U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash`
option.





It is rather common to directly interpolate JSON string inside
<script> tags in HTML as to provide configuration or parameters to a
script.

However this may lead to XSS vulnerabilities, to prevent that 3
characters need to be escaped:

  - `/` (forward slash)
  - `U+2028` (LINE SEPARATOR)
  - `U+2029` (PARAGRAPH SEPARATOR)

The forward slash need to be escaped to prevent closing the script
tag early, and the other two are valid JSON but invalid Javascript
and can be used to break JS parsing.

Given that the intent of escaping forward slash is the same than escaping
U+2028 and U+2029, I chos to rename and repurpose the existing `escape_slash`
option.







[flori/json] Fix "unexpected token" offset for Infinity
2023-12-01T07:47:06+00:00

John Hawthorn
john@hawthorn.email

2022-09-20T00:56:19+00:00

4b770527c2d4287456d03d645b595662f2501d67

Previously in the JSON::Ext parser, when we encountered an "Infinity"
token (and weren't allowing NaN/Infinity) we would try to display the
"unexpected token" at the character before.

https://github.com/flori/json/commit/42ac170712





Previously in the JSON::Ext parser, when we encountered an "Infinity"
token (and weren't allowing NaN/Infinity) we would try to display the
"unexpected token" at the character before.

https://github.com/flori/json/commit/42ac170712