If you try to render JSON with a string field that has, say, some javascript that has a string with the characters for an escaped bracket (let foo = "\\u003c"), the resulting JSON isn't valid because of the global replace here: cb1d010#diff-faa39773718bee2c453eb6825bcc4dc5766eff99ab928f1827ddba95d18d15e2R91
At the very least I don't think it should be set to true by default.
Example test:
func TestSimple(t *testing.T) {
for _, unescapeHTML := range []bool{true, false} {
t.Run(fmt.Sprintf("UnescapeHTML: %v", unescapeHTML), func(t *testing.T) {
script := `let foo = "\\u003c"`
jsonStruct := struct {
Script string `json:"script"`
}{
Script: script,
}
r := render.New(render.Options{UnEscapeHTML: unescapeHTML})
rec := httptest.NewRecorder()
require.NoError(t, r.JSON(rec, 200, jsonStruct))
unrolledBytes := rec.Body.Bytes()
unmarshalledJson := struct {
Script string `json:"script"`
}{}
require.NoError(t, json.Unmarshal(unrolledBytes, &unmarshalledJson))
assert.Equal(t, script, unmarshalledJson.Script)
})
}
}
=== RUN TestSimple/UnescapeHTML:_true
response_test.go:38:
Error Trace: response_test.go:38
Error: Received unexpected error:
invalid character '<' in string escape code
Test: TestSimple/UnescapeHTML:_true
If you try to render JSON with a string field that has, say, some javascript that has a string with the characters for an escaped bracket (
let foo = "\\u003c"), the resulting JSON isn't valid because of the global replace here: cb1d010#diff-faa39773718bee2c453eb6825bcc4dc5766eff99ab928f1827ddba95d18d15e2R91At the very least I don't think it should be set to
trueby default.Example test: