Escape HTML in JSON output by default, to prevent potential XSS.

Daniel15 · Daniel15 · commit 719d5a471f9f · 2015-04-23T21:46:18.000-07:00
diff --git a/build.proj b/build.proj
@@ -11,7 +11,7 @@ of patent rights can be found in the PATENTS file in the same directory.
 	<PropertyGroup>
 		<Major>1</Major>
 		<Minor>5</Minor>
-		<Build>0</Build>
+		<Build>1</Build>
 		<Revision>0</Revision>
 		<DevNuGetServer>http://reactjs.net/packages/</DevNuGetServer>
 		<MSBuildCommunityTasksPath>$(MSBuildProjectDirectory)\tools\MSBuildTasks</MSBuildCommunityTasksPath>
diff --git a/src/React.AspNet/project.json b/src/React.AspNet/project.json
@@ -1,5 +1,5 @@
 {
-    "version": "1.5.0-*",
+    "version": "1.5.1-*",
     "configurations": {
         "Debug": {
             "compilationOptions": {
diff --git a/src/React.Core/ReactSiteConfiguration.cs b/src/React.Core/ReactSiteConfiguration.cs
@@ -9,7 +9,6 @@
 
 using Newtonsoft.Json;
 using System.Collections.Generic;
-using System.Collections.ObjectModel;
 using System.Linq;
 
 namespace React
@@ -38,6 +37,10 @@ public ReactSiteConfiguration()
 			ReuseJavaScriptEngines = true;
 			AllowMsieEngine = true;
 			LoadReact = true;
+			JsonSerializerSettings = new JsonSerializerSettings
+			{
+				StringEscapeHandling = StringEscapeHandling.EscapeHtml
+			};
 		}
 
 		/// <summary>
diff --git a/src/React.Sample.Mvc6/project.json b/src/React.Sample.Mvc6/project.json
@@ -1,7 +1,7 @@
 {
     /* Click to learn more about project.json  http://go.microsoft.com/fwlink/?LinkID=517074 */
     "webroot": "wwwroot",
-    "version": "1.5.0-*",
+    "version": "1.5.1-*",
     "dependencies": {
         "Microsoft.AspNet.Mvc": "6.0.0.0-beta3",
         "Microsoft.AspNet.Diagnostics": "1.0.0.0-beta3",
diff --git a/src/wrap/React.Core/project.json b/src/wrap/React.Core/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.5.0-*",
+  "version": "1.5.1-*",
   "frameworks": {
     "net40": {
       "wrappedProject": "../../React.Core/React.Core.csproj",
diff --git a/src/wrap/React/project.json b/src/wrap/React/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.5.0-*",
+  "version": "1.5.1-*",
   "frameworks": {
     "net40": {
       "wrappedProject": "../../React.Core/React.Core.csproj",
diff --git a/src/wrap/VroomJs/project.json b/src/wrap/VroomJs/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.5.0-*",
+  "version": "1.5.1-*",
   "frameworks": {
     "net40": {
       "bin": {

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "version": "1.5.0-*",`
	`2`	`+ "version": "1.5.1-*",`
`3`	`3`	`"configurations": {`
`4`	`4`	`"Debug": {`
`5`	`5`	`"compilationOptions": {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`/* Click to learn more about project.json http://go.microsoft.com/fwlink/?LinkID=517074 */`
`3`	`3`	`"webroot": "wwwroot",`
`4`		`- "version": "1.5.0-*",`
	`4`	`+ "version": "1.5.1-*",`
`5`	`5`	`"dependencies": {`
`6`	`6`	`"Microsoft.AspNet.Mvc": "6.0.0.0-beta3",`
`7`	`7`	`"Microsoft.AspNet.Diagnostics": "1.0.0.0-beta3",`