root
/
flask
mirror of https://github.com/pallets/flask.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Changed |tojson filter to quote single attributes

This commit is contained in:
Armin Ronacher 2013-06-14 00:05:09 +01:00
parent 2713ea98cb
commit c502dfbbfb
3 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -8,6 +8,11 @@ Version 0.10.1
Pending bugfix release. Pending bugfix release.
- Fixed an issue where ``|tojson`` was not quoting single quotes which
made the filter not work properly in HTML attributes. Now it's
possible to use that filter in single quoted attributes. This should
make using that filter with angular.js easier.
Version 0.10 Version 0.10
------------ ------------

19
flask/json.py
View File

@ -165,14 +165,29 @@ def htmlsafe_dumps(obj, **kwargs):
also mark the result as safe. Due to how this function escapes certain also mark the result as safe. Due to how this function escapes certain
characters this is safe even if used outside of ``<script>`` tags. characters this is safe even if used outside of ``<script>`` tags.
The following characters are escaped in strings:
- ``<``
- ``>``
- ``&``
- ``'``
This makes it safe to embed such strings in any place in HTML with the
notable exception of double quoted attributes. In that case single
quote your attributes or HTML escape it in addition.
.. versionchanged:: 0.10 .. versionchanged:: 0.10
This function's return value is now always safe for HTML usage, even This function's return value is now always safe for HTML usage, even
if outside of script tags or if used in XHTML. if outside of script tags or if used in XHTML. This rule does not
hold true when using this function in HTML attributes that are double
quoted. Always single quote attributes if you use the ``|tojson``
filter. Alternatively use ``|tojson|forceescape``.
""" """
rv = dumps(obj, **kwargs) \ rv = dumps(obj, **kwargs) \
.replace(u'<', u'\\u003c') \ .replace(u'<', u'\\u003c') \
.replace(u'>', u'\\u003e') \ .replace(u'>', u'\\u003e') \
.replace(u'&', u'\\u0026') .replace(u'&', u'\\u0026') \
.replace(u"'", u'\\u0027')
if not _slash_escape: if not _slash_escape:
rv = rv.replace('\\/', '/') rv = rv.replace('\\/', '/')
return rv return rv

6
flask/testsuite/helpers.py
View File

@ -104,6 +104,12 @@ class JSONTestCase(FlaskTestCase):
self.assert_equal(rv, '"\\u003c!--\\u003cscript\\u003e"') self.assert_equal(rv, '"\\u003c!--\\u003cscript\\u003e"')
rv = render('{{ "&"|tojson }}') rv = render('{{ "&"|tojson }}')
self.assert_equal(rv, '"\\u0026"') self.assert_equal(rv, '"\\u0026"')
rv = render('{{ "\'"|tojson }}')
self.assert_equal(rv, '"\\u0027"')
rv = render("<a ng-data='{{ data|tojson }}'></a>",
data={'x': ["foo", "bar", "baz'"]})
self.assert_equal(rv,
'<a ng-data=\'{"x": ["foo", "bar", "baz\\u0027"]}\'></a>')
def test_json_customization(self): def test_json_customization(self):
class X(object): class X(object):