Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

tojson no longer escapes script blocks in HTML5 parsers. Fixed #605

  • Loading branch information...
commit c4f2075f4c4c27856fe0af77250fb75c61c0d86b 1 parent 01ac057
@mitsuhiko authored
Showing with 10 additions and 5 deletions.
  1. +1 −0  CHANGES
  2. +7 −5 flask/helpers.py
  3. +2 −0  flask/testsuite/helpers.py
View
1  CHANGES
@@ -14,6 +14,7 @@ Release date to be decided.
- Added ``template_test`` methods in addition to the already existing
``template_filter`` method family.
- Set the content-length header for x-sendfile.
+- ``tojson`` filter now does not escape script blocks in HTML5 parsers.
Version 0.9
-----------
View
12 flask/helpers.py
@@ -45,11 +45,13 @@
# figure out if simplejson escapes slashes. This behavior was changed
# from one version to another without reason.
-if '\\/' not in json.dumps('/'):
- def _tojson_filter(*args, **kwargs):
- return json.dumps(*args, **kwargs).replace('/', '\\/')
-else:
- _tojson_filter = json.dumps
+_slash_escape = '\\/' not in json.dumps('/')
+
+def _tojson_filter(*args, **kwargs):
+ rv = json.dumps(*args, **kwargs)
+ if _slash_escape:
+ rv = rv.replace('/', '\\/')
+ return rv.replace('<!', '<\\u0021')
# sentinel
View
2  flask/testsuite/helpers.py
@@ -97,6 +97,8 @@ def test_template_escaping(self):
self.assert_equal(rv, '"<\\/script>"')
rv = render('{{ "<\0/script>"|tojson|safe }}')
self.assert_equal(rv, '"<\\u0000\\/script>"')
+ rv = render('{{ "<!--<script>"|tojson|safe }}')
+ self.assert_equal(rv, '"<\\u0021--<script>"')
def test_modified_url_encoding(self):
class ModifiedRequest(flask.Request):
Please sign in to comment.
Something went wrong with that request. Please try again.