in reply to Re^3: JSON::XS and escaping literal strings
in thread JSON::XS and escaping literal strings
Yes, it does.
I did some more research on this. I confirmed that the JSON spec does not require escaping of forward slashes.
Some platforms escape the forward slash by default but allow you to disable that behavior (e.g., php, json-c). I assume that's for safety.
Others expect you to escape it yourself when using it within the context of HTML. Ruby's ERB provides an escape_json method. Here's the essence of that:
JSON_ESCAPE = { "&" => '\u0026', ">" => '\u003e', "<" => '\u003c', "\u +2028" => '\u2028', "\u2029" => '\u2029' } JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
I've decided to move to Cpanel::JSON::XS, since it has support for more of the ::PP settings. And I've written a wrapper around it for our app that sets the appropriate defaults (e.g., escape_slash). I wrote a Perl version of the escape_json() from ERB.
{ my %escape = ( "&" => '\u0026', ">" => '\u003E', "<" => '\u003C', '\x{2028}' => '\u2028', '\x{2029}' => '\u2029', ); my $chars = join '', keys %escape; my $regex = qr/[$chars]/; sub escape_for_html { my $class = shift; @_ or croak 'no json supplied'; my @json = @_; foreach (@json) { s/($regex)/$escape{ $1 }/ge if defined; } return wantarray ? @json : join('', @json); } }