mirror of
https://we.phorge.it/source/arcanist.git
synced 2024-11-21 22:32:41 +01:00
Clarify comment in PhutilJSON about required PHP version
Summary: Future developers may want to clean up some code after bumping required versions, so explicitly state that `JSON_UNESCAPED_SLASHES` was introduced in PHP 5.4.0 and that the PHP JSON extension is a core PHP extension since PHP 8.0.0 and cannot be disabled anymore, to save time looking up stuff. https://www.php.net/ChangeLog-5.php#5.4.0 https://www.php.net/manual/en/json.installation.php Test Plan: Read the docs. Reviewers: O1 Blessed Committers, valerio.bozzolan Reviewed By: O1 Blessed Committers, valerio.bozzolan Subscribers: tobiaswiese, valerio.bozzolan, Matthew, Cigaryno Differential Revision: https://we.phorge.it/D25807
This commit is contained in:
parent
04e3e250f7
commit
9f66bff5f6
1 changed files with 2 additions and 1 deletions
|
@ -131,7 +131,8 @@ final class PhutilJSON extends Phobject {
|
||||||
return $this->encodeFormattedObject($value, $depth);
|
return $this->encodeFormattedObject($value, $depth);
|
||||||
} else {
|
} else {
|
||||||
if (defined('JSON_UNESCAPED_SLASHES')) {
|
if (defined('JSON_UNESCAPED_SLASHES')) {
|
||||||
// If we have a new enough version of PHP, disable escaping of slashes
|
// If we have PHP >= 5.4.0 && the JSON extension is installed (as of
|
||||||
|
// PHP 8.0.0, it is a core PHP extension), disable escaping of slashes
|
||||||
// when pretty-printing values. Escaping slashes can defuse an attack
|
// when pretty-printing values. Escaping slashes can defuse an attack
|
||||||
// where the attacker embeds "</script>" inside a JSON string, but that
|
// where the attacker embeds "</script>" inside a JSON string, but that
|
||||||
// isn't relevant when rendering JSON for human viewers.
|
// isn't relevant when rendering JSON for human viewers.
|
||||||
|
|
Loading…
Reference in a new issue