Add a config.action_controller.json_renderer_escapes framework default

etiennebarrie · byroot · commit a15db09f84af · 2025-03-27T08:49:50.000+01:00
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -9,7 +9,8 @@
     Escaping will still occur when the `:callback` option is set, since the JSON is used as JavaScript code in this
     situation (JSONP).
 
-    You can use the `:escape` option to restore the escaping behavior.
+    You can use the `:escape` option or set `config.action_controller.json_renderer_escapes` to `true` to restore the
+    escaping behavior.
 
     ```ruby
     class PostsController < ApplicationController
diff --git a/actionpack/lib/action_controller/metal/renderers.rb b/actionpack/lib/action_controller/metal/renderers.rb
@@ -29,6 +29,7 @@ module Renderers
 
     included do
       class_attribute :_renderers, default: Set.new.freeze
+      class_attribute :json_renderer_escapes, instance_accessor: false, default: true
     end
 
     # Used in ActionController::Base and ActionController::API to include all
@@ -153,7 +154,7 @@ def _render_to_body_with_renderer(options) # :nodoc:
 
     add :json do |json, options|
       json_options = options.except(:callback, :content_type, :status)
-      json_options[:escape] ||= false unless options[:callback].present?
+      json_options[:escape] ||= false if !self.class.json_renderer_escapes? && options[:callback].blank?
       json = json.to_json(json_options) unless json.kind_of?(String)
 
       if options[:callback].present?
diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb
@@ -3,6 +3,7 @@
 require "abstract_unit"
 require "controller/fake_models"
 require "active_support/logger"
+require "active_support/core_ext/object/with"
 
 class RenderJsonTest < ActionController::TestCase
   class JsonRenderable
@@ -120,10 +121,12 @@ def test_render_json_with_callback_escapes_js_chars
     assert_equal "text/javascript", @response.media_type
   end
 
-  def test_render_json_without_callback_does_not_escape_js_chars
-    get :render_json_unsafe_chars_without_callback
-    assert_equal %({"hello":"\u2028\u2029<script>"}), @response.body
-    assert_equal "application/json", @response.media_type
+  def test_render_json_with_new_default_and_without_callback_does_not_escape_js_chars
+    TestController.with(json_renderer_escapes: false) do
+      get :render_json_unsafe_chars_without_callback
+      assert_equal %({"hello":"\u2028\u2029<script>"}), @response.body
+      assert_equal "application/json", @response.media_type
+    end
   end
 
   def test_render_json_with_custom_content_type
@@ -157,6 +160,6 @@ def test_render_json_calls_to_json_from_object
 
   def test_render_json_avoids_view_options
     get :render_json_inspect_options
-    assert_equal '{"options":{"escape":false}}', @response.body
+    assert_equal '{"options":{}}', @response.body
   end
 end
diff --git a/guides/source/configuring.md b/guides/source/configuring.md
@@ -60,6 +60,7 @@ Below are the default values associated with each target version. In cases of co
 
 #### Default Values for Target Version 8.1
 
+- [`config.action_controller.json_renderer_escapes`](#config-action-controller-json-renderer-escapes): `false`
 - [`config.yjit`](#config-yjit): `!Rails.env.local?`
 
 #### Default Values for Target Version 8.0
@@ -1964,6 +1965,16 @@ The default value depends on the `config.load_defaults` target version:
 Configures the [`ParamsWrapper`](https://api.rubyonrails.org/classes/ActionController/ParamsWrapper.html). This can be called at
 the top level, or on individual controllers.
 
+#### `config.action_controller.json_renderer_escapes`
+
+Configures the JSON renderer to escape HTML entities and Unicode characters that are invalid in JavaScript.
+
+This is useful if you relied on the JSON response having those characters escaped to embed the JSON document in
+\<script> tags in HTML.
+
+This is mainly for compatibility when upgrading Rails applications, otherwise you can use the `:escape` option for
+`render json:` in specific controller actions.
+
 ### Configuring Action Dispatch
 
 #### `config.action_dispatch.cookies_serializer`
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
@@ -355,6 +355,10 @@ def load_defaults(target_version)
           # redefine methods (e.g. mocking), hence YJIT isn't generally
           # faster in these environments.
           self.yjit = !Rails.env.local?
+
+          if respond_to?(:action_controller)
+            action_controller.json_renderer_escapes = false
+          end
         else
           raise "Unknown version #{target_version.to_s.inspect}"
         end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_8_1.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_8_1.rb.tt
@@ -8,3 +8,21 @@
 #
 # Read the Guide for Upgrading Ruby on Rails for more info on each option.
 # https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+###
+# Skips escaping HTML entities and line separators. When set to `false`, the
+# JSON renderer no longer escapes these to improve performance.
+#
+# Example:
+#   class PostsController < ApplicationController
+#     def index
+#       render json: { key: "\u2028\u2029<>&" }
+#     end
+#   end
+#
+# Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":"  <>&"}` with the config
+# set to `false`.
+#
+# Applications that want to keep the escaping behavior can set the config to `true`.
+#++
+# Rails.configuration.action_controller.json_renderer_escapes = false
