From 9f30bc8c4d6702a2e206fd8027443d2edafe4729 Mon Sep 17 00:00:00 2001 From: Ayala Shachar Date: Tue, 23 May 2017 10:24:52 -0700 Subject: [PATCH 1/4] Make tojson always safe (fix #709) --- jinja2/utils.py | 2 +- tests/test_filters.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/jinja2/utils.py b/jinja2/utils.py index b96d30954..40c87ff4f 100644 --- a/jinja2/utils.py +++ b/jinja2/utils.py @@ -567,7 +567,7 @@ def htmlsafe_json_dumps(obj, dumper=None, **kwargs): .replace(u'>', u'\\u003e') \ .replace(u'&', u'\\u0026') \ .replace(u"'", u'\\u0027') - return rv + return Markup(rv) @implements_iterator diff --git a/tests/test_filters.py b/tests/test_filters.py index 318a347c4..ff941832d 100644 --- a/tests/test_filters.py +++ b/tests/test_filters.py @@ -580,8 +580,9 @@ def __init__(self, id, name): def test_json_dump(self): env = Environment(autoescape=True) t = env.from_string('{{ x|tojson }}') - assert t.render(x={'foo': 'bar'}) == '{"foo": "bar"}' - assert t.render(x='"bar\'') == r'"\"bar\u0027"' + assert t.render(x={'foo': 'bar'}) == '{"foo": "bar"}' + assert t.render(x='"ba&r\'') == r'"\"ba\u0026r\u0027"' + assert t.render(x='') == r'"\u003cbar\u003e"' def my_dumps(value, **options): assert options == {'foo': 'bar'} From 86346976c61049b44d59448c12688a5cc3646917 Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 23 May 2017 14:57:34 -0700 Subject: [PATCH 2/4] add changelog [ci skip] --- CHANGES | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGES b/CHANGES index 967b40aa2..5c13ee793 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,16 @@ Jinja2 Changelog ================ +Version 2.9.7 +------------- + +(bugfix release, in development) + +- ``tojson`` filter marks output as safe to match documented behavior. + (`#718`_) + +.. _#718: https://github.com/pallets/jinja/pull/718 + Version 2.9.6 ------------- (bugfix release, released on April 3rd 2017) From 60a7e775d487c8de9f1b0f23c91ca9845c161fc2 Mon Sep 17 00:00:00 2001 From: Zac Medico Date: Tue, 8 Aug 2017 15:00:20 -0700 Subject: [PATCH 3/4] Fix regression in 2.9 involving unsafe Context.get_all() usage Since commit d67f0fd4cc2a4af08f51f4466150d49da7798729, callers of Context.get_all() need to make a copy it they're going to modify the result. Fixes: d67f0fd4cc2a ("Generalize scoping. This fixes #603") --- jinja2/debug.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jinja2/debug.py b/jinja2/debug.py index 07c21f1a8..b61139f0c 100644 --- a/jinja2/debug.py +++ b/jinja2/debug.py @@ -198,7 +198,7 @@ def translate_exception(exc_info, initial_skip=0): def get_jinja_locals(real_locals): ctx = real_locals.get('context') if ctx: - locals = ctx.get_all() + locals = ctx.get_all().copy() else: locals = {} From d117425f5ed3f542100f20d3bf700ae7bc54039f Mon Sep 17 00:00:00 2001 From: Armin Ronacher Date: Wed, 9 Aug 2017 09:06:39 +0200 Subject: [PATCH 4/4] Added a changelog entry --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 5c13ee793..38f4508cc 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,8 @@ Version 2.9.7 - ``tojson`` filter marks output as safe to match documented behavior. (`#718`_) +- Resolved a bug where getting debug locals for tracebacks could + modify template context. .. _#718: https://github.com/pallets/jinja/pull/718