New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double quote symbol leads to escaping when serializing errors to json #255

bearz opened this Issue Jul 30, 2015 · 3 comments


None yet
2 participants

bearz commented Jul 30, 2015

Hi there!

Thanks for the work you've done on the library. I met a pretty minor issue that I want to report: when you generate a validation error for the email field you put a double quote there which then leads to unnecessary escaping when you try to send this validation back to client. Solution is pretty easy — wrap parameter value with single quote not double quote. It still maintains readability, but don't conflict with JSON symbols anymore. I'm attaching code below to showcase what I mean.

Thanks in advance!

In [1]: from marshmallow import fields, Schema

In [2]: from simplejson import dumps

In [3]: class Test(Schema):
    ...:         email = fields.Email()

In [4]: schema = Test()

In [5]: _, errors = schema.load({'email': 'example@example.c'})

In [6]: errors
Out[6]: {'email': [u'"example@example.c" is not a valid email address.']}

In [7]: dumps(errors)
Out[7]: '{"email": ["\\"example@example.c\\" is not a valid email address."]}'

This comment has been minimized.


sloria commented Jul 31, 2015

Thanks for reporting @bearz . Another solution to this is to never show the input value in error messages by default. Not only does that avoid the escaping problem, but it also puts less burden on the client to do any necessary sanitization of the messages.

If you wanted to show the input, you could do so in a custom error message.

fields.Email(error="'{input}' is not a valid email address.")

@sloria sloria added this to the 2.0.0 (final) milestone Jul 31, 2015

@sloria sloria closed this in 2799246 Aug 1, 2015


This comment has been minimized.


sloria commented Aug 1, 2015

I've gone ahead and changed the default error messages for Email and URL so that they don't include user input. This gets rid of the "double-quoting" issue as well.


This comment has been minimized.

bearz commented Aug 2, 2015

Thank you, Steven!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment