playground
/
flask
mirror of https://github.com/mitsuhiko/flask.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Fixed a security problem caused by changed simplejson semantics. 

Notice: this was never in a release version of Flask.
pull/1638/head
Armin Ronacher 15 years ago
parent
07e515b071
commit
ade490514d
4 changed files with 16 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      docs/api.rst
  2. 3
      docs/patterns/jquery.rst
  3. 7
      flask.py
  4. 6
      tests/flask_tests.py

2
docs/api.rst
Unescape View File

@ -250,6 +250,8 @@ Returning JSON
doSomethingWith({{ user.username|tojson|safe }}); doSomethingWith({{ user.username|tojson|safe }});
</script> </script>
Note that the ``|tojson`` filter escapes forward slashes properly.
Template Rendering Template Rendering
------------------ ------------------

3
docs/patterns/jquery.rst
Unescape View File

@ -77,7 +77,8 @@ inside a `script` block here where different rules apply.
will not be parsed. Everything until ``</script>`` is handled as script. will not be parsed. Everything until ``</script>`` is handled as script.
This also means that there must never be any ``</`` between the script This also means that there must never be any ``</`` between the script
tags. ``|tojson`` is kindly enough to do the right thing here and tags. ``|tojson`` is kindly enough to do the right thing here and
escape backslashes for you. escape slashes for you (``{{ "</script>"|tojson|safe }`` is rendered as
``"<\/script>"``).
JSON View Functions JSON View Functions

7
flask.py
Unescape View File

@ -259,6 +259,11 @@ def _get_package_path(name):
return os.getcwd() return os.getcwd()
def _tojson_filter(string, *args, **kwargs):
"""Calls dumps for the template engine, escaping Slashes properly."""
return json.dumps(string, *args, **kwargs).replace('/', '\\/')
class Flask(object): class Flask(object):
"""The flask object implements a WSGI application and acts as the central """The flask object implements a WSGI application and acts as the central
object. It is passed the name of the module or package of the object. It is passed the name of the module or package of the
@ -379,7 +384,7 @@ class Flask(object):
get_flashed_messages=get_flashed_messages get_flashed_messages=get_flashed_messages
) )
if json_available: if json_available:
self.jinja_env.filters['tojson'] = json.dumps self.jinja_env.filters['tojson'] = _tojson_filter
def create_jinja_loader(self): def create_jinja_loader(self):
"""Creates the Jinja loader. By default just a package loader for """Creates the Jinja loader. By default just a package loader for

6
tests/flask_tests.py
Unescape View File

@ -194,6 +194,12 @@ class JSONTestCase(unittest.TestCase):
content_type='application/json') content_type='application/json')
assert rv.data == '3' assert rv.data == '3'
def test_template_escaping(self):
app = flask.Flask(__name__)
with app.test_request_context():
rv = flask.render_template_string('{{ "</script>"|tojson|safe }}')
assert rv == '"<\\/script>"'
class TemplatingTestCase(unittest.TestCase): class TemplatingTestCase(unittest.TestCase):

Write Preview
Loading…
Cancel
Save