| 1 | from json import dumps |
|---|
| 2 | from django import template |
|---|
| 3 | from django.core.serializers.json import DjangoJSONEncoder |
|---|
| 4 | from django.utils.html import format_html |
|---|
| 5 | from django.utils.safestring import mark_safe |
|---|
| 6 | |
|---|
| 7 | register = template.Library() |
|---|
| 8 | |
|---|
| 9 | |
|---|
| 10 | def escapejson(a): |
|---|
| 11 | """ |
|---|
| 12 | This will escape all the HTML/XML special characters with their unicode |
|---|
| 13 | escapes, so it is safe to be output anywhere except for inside a tag |
|---|
| 14 | attribute. |
|---|
| 15 | """ |
|---|
| 16 | json_str = dumps(a, cls=DjangoJSONEncoder) |
|---|
| 17 | |
|---|
| 18 | # Escape all the XML/HTML special characters. |
|---|
| 19 | escapes = ['<', '>', '&'] |
|---|
| 20 | for c in escapes: |
|---|
| 21 | json_str = json_str.replace(c, r'\u%04x' % ord(c)) |
|---|
| 22 | |
|---|
| 23 | return mark_safe(json_str) |
|---|
| 24 | |
|---|
| 25 | |
|---|
| 26 | @register.filter() |
|---|
| 27 | def as_json_script(a, id=None): |
|---|
| 28 | """ |
|---|
| 29 | This will wrap the escaped json in a script tag with id set accordingly. |
|---|
| 30 | Other javascript can load the data using |
|---|
| 31 | JSON.parse(document.getElementById("<id>").textContent) |
|---|
| 32 | See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse |
|---|
| 33 | """ |
|---|
| 34 | |
|---|
| 35 | escaped = escapejson(a) |
|---|
| 36 | if id: |
|---|
| 37 | return format_html( |
|---|
| 38 | '<script id="{}" type="application/json">{}</script>', |
|---|
| 39 | id, escaped |
|---|
| 40 | ) |
|---|
| 41 | else: |
|---|
| 42 | return format_html( |
|---|
| 43 | '<script type="application/json">{}</script>', |
|---|
| 44 | escaped |
|---|
| 45 | ) |
|---|
| 46 | as_json_script.is_safe = True |
|---|