Changed |tojson filter to quote single attributes

2013-06-14 00:05:09 +01:00 · 2013-06-14 00:05:09 +01:00 · c502dfbbfb
parent 2713ea98cb
commit c502dfbbfb
3 changed files with 28 additions and 2 deletions
--- a/5
+++ b/5
@ -8,6 +8,11 @@ Version 0.10.1

 Pending bugfix release.

+- Fixed an issue where ``|tojson`` was not quoting single quotes which
+  made the filter not work properly in HTML attributes.  Now it's
+  possible to use that filter in single quoted attributes.  This should
+  make using that filter with angular.js easier.
+
 Version 0.10
 ------------

--- a/flask/json.py
+++ b/flask/json.py
@ -165,14 +165,29 @@ def htmlsafe_dumps(obj, **kwargs):
    also mark the result as safe.  Due to how this function escapes certain
    characters this is safe even if used outside of ``<script>`` tags.

+    The following characters are escaped in strings:
+
+    -   ``<``
+    -   ``>``
+    -   ``&``
+    -   ``'``
+
+    This makes it safe to embed such strings in any place in HTML with the
+    notable exception of double quoted attributes.  In that case single
+    quote your attributes or HTML escape it in addition.
+
    .. versionchanged:: 0.10
       This function's return value is now always safe for HTML usage, even
-       if outside of script tags or if used in XHTML.
+       if outside of script tags or if used in XHTML.  This rule does not
+       hold true when using this function in HTML attributes that are double
+       quoted.  Always single quote attributes if you use the ``|tojson``
+       filter.  Alternatively use ``|tojson|forceescape``.
    """
    rv = dumps(obj, **kwargs) \
        .replace(u'<', u'\\u003c') \
        .replace(u'>', u'\\u003e') \
-        .replace(u'&', u'\\u0026')
+        .replace(u'&', u'\\u0026') \
+        .replace(u"'", u'\\u0027')
    if not _slash_escape:
        rv = rv.replace('\\/', '/')
    return rv
--- a/flask/testsuite/helpers.py
+++ b/flask/testsuite/helpers.py
@ -104,6 +104,12 @@ class JSONTestCase(FlaskTestCase):
            self.assert_equal(rv, '"\\u003c!--\\u003cscript\\u003e"')
            rv = render('{{ "&"|tojson }}')
            self.assert_equal(rv, '"\\u0026"')
+            rv = render('{{ "\'"|tojson }}')
+            self.assert_equal(rv, '"\\u0027"')
+            rv = render("<a ng-data='{{ data|tojson }}'></a>",
+                data={'x': ["foo", "bar", "baz'"]})
+            self.assert_equal(rv,
+                '<a ng-data=\'{"x": ["foo", "bar", "baz\\u0027"]}\'></a>')

    def test_json_customization(self):
        class X(object):