UnescapeHTML can render un-parseable JSON · Issue #98 · unrolled/render · GitHub
Skip to content

UnescapeHTML can render un-parseable JSON #98

Description

@aaronlisman

If you try to render JSON with a string field that has, say, some javascript that has a string with the characters for an escaped bracket (let foo = "\\u003c"), the resulting JSON isn't valid because of the global replace here: cb1d010#diff-faa39773718bee2c453eb6825bcc4dc5766eff99ab928f1827ddba95d18d15e2R91

At the very least I don't think it should be set to true by default.

Example test:

func TestSimple(t *testing.T) {
	for _, unescapeHTML := range []bool{true, false} {
		t.Run(fmt.Sprintf("UnescapeHTML: %v", unescapeHTML), func(t *testing.T) {
			script := `let foo = "\\u003c"`
			jsonStruct := struct {
				Script string `json:"script"`
			}{
				Script: script,
			}

			r := render.New(render.Options{UnEscapeHTML: unescapeHTML})
			rec := httptest.NewRecorder()
			require.NoError(t, r.JSON(rec, 200, jsonStruct))
			unrolledBytes := rec.Body.Bytes()

			unmarshalledJson := struct {
				Script string `json:"script"`
			}{}

			require.NoError(t, json.Unmarshal(unrolledBytes, &unmarshalledJson))
			assert.Equal(t, script, unmarshalledJson.Script)
		})
	}
}
=== RUN   TestSimple/UnescapeHTML:_true
    response_test.go:38: 
        	Error Trace:	response_test.go:38
        	Error:      	Received unexpected error:
        	            	invalid character '<' in string escape code
        	Test:       	TestSimple/UnescapeHTML:_true

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions