Context Navigation

← Previous Ticket
Next Ticket →

#21731 closed Bug (fixed)

django.utils.text.javascript_quote does not escape "</" (without double quotes)

Reported by:	Vajrasky Kok	Owned by:	Vajrasky Kok
Component:	Utilities	Version:	dev
Severity:	Normal	Keywords:
Cc:	sky.kok@…, Rogério Yokomizo	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

For the uninitiated, javascript_quote is useful if you want to add dynamic text to javascript.

Consider this case:

  <div id="reviews"></div>
  <script type="text/javascript">
    $("#reviews").append("{{ dynamic_text }}");
  </script>

The dynamic text could be:

<a href='controller/action'>Action!</a>

So the relevant section of the template would be:

$("#reviews").append('<a href='controller/action'>Action!</a>');

As you can see the javascript code will break because of single quotes inside single quotes. But with javascript_quote, the relevant section of the template would be:

$("#reviews").append('<a href=\'controller/action\'>Action!</a>');

So all is well!

Well, not really. The javascript_quote only escapes carriage returns and single and double quotes and backslashes. But this is not enough. It needs to escape "</" (without double quotes) as well. Consider this case:

$("#reviews").append('<script>alert("Manly man loves cute cat");</script>');

The "</script>" (without double quotes) will break the javascript code. It is the closing tag of javascript code in html. In fact, Rails escapes "</" (without double quotes).
http://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html

Change History (3)

comment:1 by Vajrasky Kok, 11 years ago

Cc:	sky.kok@… added
Has patch:	set
Owner:	changed from nobody to Vajrasky Kok
Status:	new → assigned

PR is here: https://github.com/django/django/pull/2142

Anyway javascript_quote name is misleading. Probably the name escape_for_javascript is better.

comment:2 by Rogério Yokomizo, 11 years ago

Cc:	Rogério Yokomizo added
Triage Stage:	Unreviewed → Ready for checkin

comment:3 by Tim Graham <timograham@…>, 11 years ago

Resolution:	→ fixed
Status:	assigned → closed

In c43c469a2e4633361f5dccf7dc7ce37054008d18:

Fixed #21731 -- Made javascript_quote escapes '</'.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues

Context Navigation

#21731 closed Bug (fixed)

django.utils.text.javascript_quote does not escape "</" (without double quotes)

Description

Change History (3)

comment:1 by Vajrasky Kok, 11 years ago

comment:2 by Rogério Yokomizo, 11 years ago

comment:3 by Tim Graham <timograham@…>, 11 years ago

Download in other formats:

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us