1 | from json import dumps |
---|
2 | from django import template |
---|
3 | from django.core.serializers.json import DjangoJSONEncoder |
---|
4 | from django.utils.html import format_html |
---|
5 | from django.utils.safestring import mark_safe |
---|
6 | |
---|
7 | register = template.Library() |
---|
8 | |
---|
9 | |
---|
10 | def escapejson(a): |
---|
11 | """ |
---|
12 | This will escape all the HTML/XML special characters with their unicode |
---|
13 | escapes, so it is safe to be output anywhere except for inside a tag |
---|
14 | attribute. |
---|
15 | """ |
---|
16 | json_str = dumps(a, cls=DjangoJSONEncoder) |
---|
17 | |
---|
18 | # Escape all the XML/HTML special characters. |
---|
19 | escapes = ['<', '>', '&'] |
---|
20 | for c in escapes: |
---|
21 | json_str = json_str.replace(c, r'\u%04x' % ord(c)) |
---|
22 | |
---|
23 | return mark_safe(json_str) |
---|
24 | |
---|
25 | |
---|
26 | @register.filter() |
---|
27 | def as_json_script(a, id=None): |
---|
28 | """ |
---|
29 | This will wrap the escaped json in a script tag with id set accordingly. |
---|
30 | Other javascript can load the data using |
---|
31 | JSON.parse(document.getElementById("<id>").textContent) |
---|
32 | See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse |
---|
33 | """ |
---|
34 | |
---|
35 | escaped = escapejson(a) |
---|
36 | if id: |
---|
37 | return format_html( |
---|
38 | '<script id="{}" type="application/json">{}</script>', |
---|
39 | id, escaped |
---|
40 | ) |
---|
41 | else: |
---|
42 | return format_html( |
---|
43 | '<script type="application/json">{}</script>', |
---|
44 | escaped |
---|
45 | ) |
---|
46 | as_json_script.is_safe = True |
---|