escape_html_entities_in_json considered harmful

  • It monkey patches the to_json whenever activesupport is included, and silently changes the behaviour of to_json

  • It makes the JSON output ugly and less human readable (e.g. LogStash logs)

  • It assumes everything is a browser, it breaks things when it isn’t (e.g. URLs with parameters)

  • It’s not the expected behavior (

  • Avoiding the escaping behavior requires the awkwardly named to_json_without_active_support_encoder method

  • Adds an unnecessary performance overhead

  • Adds an additional runtime configuration parameter, which means that any gem that uses to_json will behave differently depending on whether activesupport is included or not, and whether that parameter is enabled or not.

  • Escapes using regex which might be a source of subtle security issues

  • It’s similar to PHP’s infamous magic_quotes_gpc

Recommendations:

  • In Rails 4.2 disable escape_html_entities_in_json by default, and deprecate it

  • Remove it from Rails 5.0

The options is confusingly named, the values aren't escaped they're just
encoded in an alternative and perfectly valid way. Outside of some visual
clutter when eyeballing JSON values, they have identical semantic meaning.
If you have code which is breaking with this turned on, it's not a valid
JSON parser.

If this option isn't implemented it's simply not possible to safely include
JSON in HTML views without introducing a helper which essentially repeats
the exact same logic, or dumping strings and parsing them manually client
side.