Opened 11 years ago
Closed 11 years ago
#21731 closed Bug (fixed)
django.utils.text.javascript_quote does not escape "</" (without double quotes)
Reported by: | Vajrasky Kok | Owned by: | Vajrasky Kok |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | sky.kok@…, Rogério Yokomizo | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
For the uninitiated, javascript_quote is useful if you want to add dynamic text to javascript.
Consider this case:
<div id="reviews"></div> <script type="text/javascript"> $("#reviews").append("{{ dynamic_text }}"); </script>
The dynamic text could be:
<a href='controller/action'>Action!</a>
So the relevant section of the template would be:
$("#reviews").append('<a href='controller/action'>Action!</a>');
As you can see the javascript code will break because of single quotes inside single quotes. But with javascript_quote, the relevant section of the template would be:
$("#reviews").append('<a href=\'controller/action\'>Action!</a>');
So all is well!
Well, not really. The javascript_quote only escapes carriage returns and single and double quotes and backslashes. But this is not enough. It needs to escape "</" (without double quotes) as well. Consider this case:
$("#reviews").append('<script>alert("Manly man loves cute cat");</script>');
The "</script>" (without double quotes) will break the javascript code. It is the closing tag of javascript code in html. In fact, Rails escapes "</" (without double quotes).
http://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html
Change History (3)
comment:1 by , 11 years ago
Cc: | added |
---|---|
Has patch: | set |
Owner: | changed from | to
Status: | new → assigned |
comment:2 by , 11 years ago
Cc: | added |
---|---|
Triage Stage: | Unreviewed → Ready for checkin |
comment:3 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
PR is here: https://github.com/django/django/pull/2142
Anyway javascript_quote name is misleading. Probably the name escape_for_javascript is better.