Added escaper for </ in string variables

Author: gazay

lib/gon.rb

@@ -4,6 +4,7 @@
 require 'action_view'
 require 'action_controller'
 require 'gon/helpers'
+require 'gon/escaper'
 if defined?(Rabl)
   require 'gon/rabl'
 end

lib/gon/escaper.rb

@@ -0,0 +1,20 @@
+module Gon
+  module Escaper
+    class << self
+
+      GON_JS_ESCAPE_MAP = {
+        '</'    => '<\/'
+      }
+
+      def escape(javascript)
+        if javascript
+          result = javascript.gsub(/(<\/)/u) {|match| GON_JS_ESCAPE_MAP[match] }
+          javascript.html_safe? ? result.html_safe : result
+        else
+          ''
+        end
+      end
+
+    end
+  end
+end

lib/gon/helpers.rb

@@ -6,6 +6,7 @@ def self.included base
     end
 
     module InstanceMethods
+
       def include_gon(options = {})
         if Gon.request_env && Gon.all_variables.present? && Gon.request == request.object_id
           data = Gon.all_variables
@@ -21,67 +22,35 @@ def include_gon(options = {})
               script << namespace + '.' + key.to_s + '=' + val.to_json + ';'
             end
           end
-          script = start + escape_javascript(script) + '</script>'
+          script = start + Gon.escape(script) + '</script>'
           script.html_safe
         else
           ""
         end
       end
 
-      unless self.respond_to? :escape_javascript
-        # Just add helper from rails 3-2-stable
-
-        JS_ESCAPE_MAP = {
-          '\\'    => '\\\\',
-          '</'    => '<\/',
-          "\r\n"  => '\n',
-          "\n"    => '\n',
-          "\r"    => '\n',
-          '"'     => '\\"',
-          "'"     => "\\'"
-        }
-
-        if "ruby".encoding_aware?
-          JS_ESCAPE_MAP["\342\200\250".force_encoding('UTF-8').encode!] = '&#x2028;'
-        else
-          JS_ESCAPE_MAP["\342\200\250"] = '&#x2028;'
-        end
-
-        # Escapes carriage returns and single and double quotes for JavaScript segments.
-        #
-        # Also available through the alias j(). This is particularly helpful in JavaScript responses, like:
-        #
-        #   $('some_element').replaceWith('<%=j render 'some/element_template' %>');
-        def escape_javascript(javascript)
-          if javascript
-            result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
-            javascript.html_safe? ? result.html_safe : result
-          else
-            ''
-          end
-        end
-
-        alias_method :j, :escape_javascript
-      end
     end
   end
 
   module GonHelpers
+
     def self.included base
       base.send(:include, InstanceMethods)
     end
 
     module InstanceMethods
+
       def gon
         if !Gon.request_env || Gon.request != request.object_id
           Gon.request = request.object_id
           Gon.request_env = request.env
         end
         Gon
       end
+
     end
-  end
 
+  end
 end
 
 ActionView::Base.send :include, Gon::Helpers

spec/gon/gon_spec.rb

@@ -37,17 +37,24 @@
     end
 
     it 'outputs correct js with an integer' do
-        Gon.int = 1
-        @base.include_gon.should == "<script>window.gon = {};" +
-                                     "gon.int=1;" +
-                                   "</script>"
+      Gon.int = 1
+      @base.include_gon.should == '<script>window.gon = {};' +
+                                    'gon.int=1;' +
+                                  '</script>'
     end
 
     it 'outputs correct js with a string' do
       Gon.str = %q(a'b"c)
       @base.include_gon.should == '<script>window.gon = {};' +
-                                   %q(gon.str="a'b\"c";) +
-                                 '</script>'
+                                    %q(gon.str="a'b\"c";) +
+                                  '</script>'
+    end
+
+    it 'outputs correct js with a script string' do
+      Gon.str = %q(</script><script>alert('!')</script>)
+      @base.include_gon.should == '<script>window.gon = {};' +
+                                    %q(gon.str="<\\/script><script>alert('!')<\\/script>";) +
+                                  '</script>'
     end
 
   end