Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #7177 -- Added extra robustness to the escapejs filter so that all

invalid characters are correctly escaped. This avoids any chance to inject raw
HTML inside <script> tags. Thanks to Mike Wiacek for the patch and Collin Grady
for the tests.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8577 bcc190cf-cafb-0310-a4f2-bffc1f526a37
commit 8c4a525871df19163d5bfdf5939eff33b544c2e2 1 parent fcf059d
@malcolmt malcolmt authored
View
28 django/template/defaultfilters.py
@@ -62,20 +62,24 @@ def capfirst(value):
capfirst.is_safe=True
capfirst = stringfilter(capfirst)
-_js_escapes = (
- ('\\', '\\\\'),
- ('"', '\\"'),
- ("'", "\\'"),
- ('\n', '\\n'),
- ('\r', '\\r'),
- ('\b', '\\b'),
- ('\f', '\\f'),
- ('\t', '\\t'),
- ('\v', '\\v'),
- ('</', '<\\/'),
+_base_js_escapes = (
+ ('\\', r'\x5C'),
+ ('\'', r'\x27'),
+ ('"', r'\x22'),
+ ('>', r'\x3E'),
+ ('<', r'\x3C'),
+ ('&', r'\x26'),
+ ('=', r'\x3D'),
+ ('-', r'\x2D'),
+ (';', r'\x3B')
)
+
+# Escape every ASCII character with a value less than 32.
+_js_escapes = (_base_js_escapes +
+ tuple([('%c' % z, '\\x%02X' % z) for z in range(32)]))
+
def escapejs(value):
- """Backslash-escapes characters for use in JavaScript strings."""
+ """Hex encodes characters for use in JavaScript strings."""
for bad, good in _js_escapes:
value = value.replace(bad, good)
return value
View
3  tests/regressiontests/templates/filters.py
@@ -262,5 +262,8 @@ def get_filter_tests():
'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),
'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You &gt; me'),
'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You &gt; me'),
+
+ 'escapejs01': (r'{{ a|escapejs }}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
+ 'escapejs02': (r'{% autoescape off %}{{ a|escapejs }}{% endautoescape %}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
}
Please sign in to comment.
Something went wrong with that request. Please try again.