Imply the |safe on tojson in templates and change escaping logic

11 years ago · ef72b78042
7 changed files with 46 additions and 31 deletions
--- a/2
+++ b/2
@ -17,6 +17,8 @@ Release date to be decided.
  ``template_filter`` method family.
 - Set the content-length header for x-sendfile.
 - ``tojson`` filter now does not escape script blocks in HTML5 parsers.
+- ``tojson`` used in templates is now safe by default due.  This was
+  allowed due to the different escaping behavior.
 - Flask will now raise an error if you attempt to register a new function
  on an already used endpoint.
 - Added wrapper module around simplejson and added default serialization
--- a/docs/api.rst
+++ b/docs/api.rst
@ -364,7 +364,8 @@ JSON module:
 The :func:`~htmlsafe_dumps` function of this json module is also available
 as filter called ``|tojson`` in Jinja2.  Note that inside `script`
 tags no escaping must take place, so make sure to disable escaping
-with ``|safe`` if you intend to use it inside `script` tags:
+with ``|safe`` if you intend to use it inside `script` tags unless
+you are using Flask 0.10 which implies that:

 .. sourcecode:: html+jinja

@ -372,8 +373,6 @@ with ``|safe`` if you intend to use it inside `script` tags:
        doSomethingWith({{ user.username|tojson|safe }});
    </script>

-Note that the ``|tojson`` filter escapes forward slashes properly.
-
 .. autofunction:: jsonify

 .. autofunction:: dumps
--- a/docs/patterns/jquery.rst
+++ b/docs/patterns/jquery.rst
@ -63,9 +63,10 @@ like this:
     $SCRIPT_ROOT = {{ request.script_root|tojson|safe }};
   </script>

-The ``|safe`` is necessary so that Jinja does not escape the JSON encoded
-string with HTML rules.  Usually this would be necessary, but we are
-inside a `script` block here where different rules apply.
+The ``|safe`` is necessary in Flask before 0.10 so that Jinja does not
+escape the JSON encoded string with HTML rules.  Usually this would be
+necessary, but we are inside a `script` block here where different rules
+apply.

 .. admonition:: Information for Pros

@ -76,6 +77,10 @@ inside a `script` block here where different rules apply.
   escape slashes for you (``{{ "</script>"|tojson|safe }}`` is rendered as
   ``"<\/script>"``).

+   In Flask 0.10 it goes a step further and escapes all HTML tags with
+   unicode escapes.  This makes it possible for Flask to automatically
+   mark the result as HTML safe.
+

 JSON View Functions
 -------------------
--- a/docs/templating.rst
+++ b/docs/templating.rst
@ -106,8 +106,8 @@ by Jinja2 itself:
   fly.

   Note that inside `script` tags no escaping must take place, so make
-   sure to disable escaping with ``|safe`` if you intend to use it inside
-   `script` tags:
+   sure to disable escaping with ``|safe`` before Flask 0.10 if you intend
+   to use it inside `script` tags:

   .. sourcecode:: html+jinja

@ -115,8 +115,6 @@ by Jinja2 itself:
           doSomethingWith({{ user.username|tojson|safe }});
       </script>

-   That the ``|tojson`` filter escapes forward slashes properly for you.
-
 Controlling Autoescaping
 ------------------------

--- a/flask/app.py
+++ b/flask/app.py
@ -659,7 +659,7 @@ class Flask(_PackageBoundObject):
            session=session,
            g=g
        )
-        rv.filters['tojson'] = json.htmlsafe_dumps
+        rv.filters['tojson'] = json.tojson_filter
        return rv

    def create_global_jinja_loader(self):
@ -1707,13 +1707,6 @@ class Flask(_PackageBoundObject):
            rv = func(exc)
        request_tearing_down.send(self, exc=exc)

-        # If this interpreter supports clearing the exception information
-        # we do that now.  This will only go into effect on Python 2.x,
-        # on 3.x it disappears automatically at the end of the exception
-        # stack.
-        if hasattr(sys, 'exc_clear'):
-            sys.exc_clear()
-
    def do_teardown_appcontext(self, exc=None):
        """Called when an application context is popped.  This works pretty
        much the same as :meth:`do_teardown_request` but for the application
--- a/flask/json.py
+++ b/flask/json.py
@ -15,6 +15,7 @@ from .globals import current_app, request
 from ._compat import text_type, PY2

 from werkzeug.http import http_date
+from jinja2 import Markup

 # Use the same json implementation as itsdangerous on which we
 # depend anyways.
@ -160,18 +161,26 @@ def load(fp, **kwargs):
 def htmlsafe_dumps(obj, **kwargs):
    """Works exactly like :func:`dumps` but is safe for use in ``<script>``
    tags.  It accepts the same arguments and returns a JSON string.  Note that
-    this is available in templates through the ``|tojson`` filter but it will
-    have to be wrapped in ``|safe`` unless **true** XHTML is being used.
+    this is available in templates through the ``|tojson`` filter which will
+    also mark the result as safe.  Due to how this function escapes certain
+    characters this is safe even if used outside of ``<script>`` tags.
+
+    .. versionchanged:: 0.10
+       This function's return value is now always safe for HTML usage, even
+       if outside of script tags or if used in XHTML.
    """
-    rv = dumps(obj, **kwargs)
-    if _slash_escape:
-        rv = rv.replace('/', '\\/')
-    return rv.replace('<!', '<\\u0021')
+    rv = dumps(obj, **kwargs) \
+        .replace(u'<', u'\\u003c') \
+        .replace(u'>', u'\\u003e') \
+        .replace(u'&', u'\\u0026')
+    if not _slash_escape:
+        rv = rv.replace('\\/', '/')
+    return rv


 def htmlsafe_dump(obj, fp, **kwargs):
    """Like :func:`htmlsafe_dumps` but writes into a file object."""
-    fp.write(htmlsafe_dumps(obj, **kwargs))
+    fp.write(unicode(htmlsafe_dumps(obj, **kwargs)))


 def jsonify(*args, **kwargs):
@ -213,3 +222,7 @@ def jsonify(*args, **kwargs):
    return current_app.response_class(dumps(dict(*args, **kwargs),
        indent=indent),
        mimetype='application/json')
+
+
+def tojson_filter(obj, **kwargs):
+    return Markup(htmlsafe_dumps(obj, **kwargs))
--- a/flask/testsuite/helpers.py
+++ b/flask/testsuite/helpers.py
@ -92,12 +92,17 @@ class JSONTestCase(FlaskTestCase):
        app = flask.Flask(__name__)
        render = flask.render_template_string
        with app.test_request_context():
-            rv = render('{{ "</script>"|tojson|safe }}')
-            self.assert_equal(rv, '"<\\/script>"')
-            rv = render('{{ "<\0/script>"|tojson|safe }}')
-            self.assert_equal(rv, '"<\\u0000\\/script>"')
-            rv = render('{{ "<!--<script>"|tojson|safe }}')
-            self.assert_equal(rv, '"<\\u0021--<script>"')
+            rv = flask.json.htmlsafe_dumps('</script>')
+            self.assert_equal(rv, u'"\\u003c/script\\u003e"')
+            self.assert_equal(type(rv), text_type)
+            rv = render('{{ "</script>"|tojson }}')
+            self.assert_equal(rv, '"\\u003c/script\\u003e"')
+            rv = render('{{ "<\0/script>"|tojson }}')
+            self.assert_equal(rv, '"\\u003c\\u0000/script\\u003e"')
+            rv = render('{{ "<!--<script>"|tojson }}')
+            self.assert_equal(rv, '"\\u003c!--\\u003cscript\\u003e"')
+            rv = render('{{ "&"|tojson }}')
+            self.assert_equal(rv, '"\\u0026"')

    def test_json_customization(self):
        class X(object):