Ticket #17419: json_tags.py

File json_tags.py, 1.4 KB (added by blighj, 3 years ago)
Line 
1from json import dumps
2from django import template
3from django.core.serializers.json import DjangoJSONEncoder
4from django.utils.html import format_html
5from django.utils.safestring import mark_safe
6
7register = template.Library()
8
9
10def escapejson(a):
11    """
12    This will escape all the HTML/XML special characters with their unicode
13    escapes, so it is safe to be output anywhere except for inside a tag
14    attribute.
15    """
16    json_str = dumps(a, cls=DjangoJSONEncoder)
17
18    # Escape all the XML/HTML special characters.
19    escapes = ['<', '>', '&']
20    for c in escapes:
21        json_str = json_str.replace(c, r'\u%04x' % ord(c))
22
23    return mark_safe(json_str)
24
25
26@register.filter()
27def as_json_script(a, id=None):
28    """
29    This will wrap the escaped json in a script tag with id set accordingly.
30    Other javascript can load the data using
31    JSON.parse(document.getElementById("<id>").textContent)
32    See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse
33    """
34
35    escaped = escapejson(a)
36    if id:
37        return format_html(
38            '<script id="{}" type="application/json">{}</script>',
39            id, escaped
40        )
41    else:
42        return format_html(
43            '<script type="application/json">{}</script>',
44            escaped
45        )
46as_json_script.is_safe = True
Back to Top