tojson no longer escapes script blocks in HTML5 parsers. Fixed #605

pallets · Oct 7, 2012 · c4f2075 · c4f2075
1 parent 01ac057
commit c4f2075
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/CHANGES b/CHANGES
@@ -14,6 +14,7 @@ Release date to be decided.
 - Added ``template_test`` methods in addition to the already existing
   ``template_filter`` method family.
 - Set the content-length header for x-sendfile.
+- ``tojson`` filter now does not escape script blocks in HTML5 parsers.
 
 Version 0.9
 -----------

diff --git a/flask/helpers.py b/flask/helpers.py
@@ -45,11 +45,13 @@
 
 # figure out if simplejson escapes slashes.  This behavior was changed
 # from one version to another without reason.
-if '\\/' not in json.dumps('/'):
-    def _tojson_filter(*args, **kwargs):
-        return json.dumps(*args, **kwargs).replace('/', '\\/')
-else:
-    _tojson_filter = json.dumps
+_slash_escape = '\\/' not in json.dumps('/')
+
+def _tojson_filter(*args, **kwargs):
+    rv = json.dumps(*args, **kwargs)
+    if _slash_escape:
+        rv = rv.replace('/', '\\/')
+    return rv.replace('<!', '<\\u0021')
 
 
 # sentinel

diff --git a/flask/testsuite/helpers.py b/flask/testsuite/helpers.py
@@ -97,6 +97,8 @@ def test_template_escaping(self):
             self.assert_equal(rv, '"<\\/script>"')
             rv = render('{{ "<\0/script>"|tojson|safe }}')
             self.assert_equal(rv, '"<\\u0000\\/script>"')
+            rv = render('{{ "<!--<script>"|tojson|safe }}')
+            self.assert_equal(rv, '"<\\u0021--<script>"')
 
     def test_modified_url_encoding(self):
         class ModifiedRequest(flask.Request):