Safe JSON

[alexcjohnson]

Fixing a possible XSS issue when our JSON is inserted into an HTML string. We could apply this just to fig.to_html, but to be even safer I'm applying it to all JSON serialization, in case users use a different mechanism to insert this into HTML.

Performance is a concern here, but in my testing except in really pathological situations these substitutions are a good deal faster than serialization even by orjson.

• I have read through the contributing notes and understand the structure of the package. In particular, if my PR modifies code of plotly.graph_objects, my modifications concern the codegen files and not generated files.
• I have added tests (if submitting a new feature or correcting a bug) or
  modified existing tests.
• I have added a CHANGELOG entry if fixing/changing/adding anything substantial.

[alexcjohnson]

These are apparently JavaScript line terminator characters. The JS parser will see this end-of-line, see that the data structure is incomplete, and throw an error. AFAICT this isn't in itself a security issue, but it's a bug - if you ever wanted these characters in your figure for real it wouldn't work (when inserted in HTML).

The standard library json converts at least these unicode characters into escape sequences anyway, so we don't need to worry about them, but orjson sends them as unicode characters.

[alexcjohnson]

Testing first whether the character is present in the string is substantially faster than .replace when it finds even a single instance of the character - so given that much of the time you won't have some of these characters it's worthwhile including the if first. And looping over each character in turn is a lot faster than any solution I could find that only searches the string once, ie a regexp.

[alexcjohnson]

I added orjson only to py3.7 and py3.9 optional tests, so that we'd run a bunch of the other tests using json. Recent orjson doesn't support py3.6 anyway.

[LiamConnors]

💃