Error deserializing django SafeString

[maxkylu]

Serializing and then deserializing a django SafeString runs into error:
AttributeError: 'SafeString' object attribute 'capitalize' is read-only

jsonpickle version: 3.0.3
django version: 4.2.11

[maxkylu]

This script reproduces the error independent from django

import jsonpickle

########################################
### Verbatim copy from django 4.2.11 ###
########################################
class SafeData:
    __slots__ = ()

    def __html__(self):
        """
        Return the html representation of a string for interoperability.

        This allows other template engines to understand Django's SafeData.
        """
        return self


class SafeString(str, SafeData):
    """
    A str subclass that has been specifically marked as "safe" for HTML output
    purposes.
    """

    __slots__ = ()

    def __add__(self, rhs):
        """
        Concatenating a safe string with another safe bytestring or
        safe string is safe. Otherwise, the result is no longer safe.
        """
        t = super().__add__(rhs)
        if isinstance(rhs, SafeData):
            return SafeString(t)
        return t

    def __str__(self):
        return self

    def __str__(self):
        return self

### End copy from django 4.2.11 ###

s = SafeString("hi")

pickled = jsonpickle.encode(s)
print(pickled)
jsonpickle.decode(pickled)

[maxkylu]

This is an minimal reproducing example:

import jsonpickle

class SafeData:
    __slots__ = ()

class SafeString(str, SafeData):
    __slots__ = ()


s = SafeString("hi")

pickled = jsonpickle.encode(s)
print(pickled)
jsonpickle.decode(pickled)

[Theelx]

Hey, thanks for reporting this! Sorry for the late response, I've been busy with schoolwork. I'll take a look at this shortly.

[Theelx]

This looks to be very similar to #422 (comment). In that case, the issue is because the attribute is being inherited from a class implemented in C, which can make read-only attributes. The fix I implemented in that case was to skip it for subclasses of int, but since this is happening for subclasses of str too, I'll add str to the list of parent classes that can be skipped. Eventually, I'll make a more flexible check that doesn't require us to whitelist types, but that's going to have to be on the TODO list for now.

[maxkylu]

Thank you for this speedy fix.

Question: Wouldn't it be better to fix the pickler to not pickle the read only attributes? The pickled string methods actually only spam the serialized data.

[Theelx]

I thought about that, but I didn't bother trying because I didn't think it would be serializable if it didn't include that data. However, you make a good point that read-only attributes won't change and so they spam the serialized data. I'll look into working around that that, hopefully I can get a change landed soon to reduce the spammed read-only attributes while still preserving unpickleability.