New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tojson not marking items as safe per docs #709
Comments
This seems like an easy fix, if you'd like to submit a pull request. |
I think it just requires a Markup() around the results before returning, but I'm afraid to submit the request because I don't know all the comprehensive test cases you'd want to run it through, and I'd feel negligent submitting without fully testing. Sorry. |
Don't worry, it's not that bad! Adding |
I totally agree, it would make a great beginner fix for someone. Best!
… On May 1, 2017, at 10:52 AM, David Lord ***@***.***> wrote:
Don't worry, it's not that bad! Adding Markup around it, then making sure the existing test doesn't escape something, should be fine.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
This sounds like a backwards-incompatible change to me (just like it was in Flask, but at least Flask is pre-1.0). If Jinja itself used to autoescape json data changing it means people need to add |
The documentation says it's only safe inside of scripts. So either it's a bug that it's not surrounded by Markup() and you have to deal with people who were misusing it, or it's a feature, in which case, when you folks do eventually make autoescape the default (which is a very sane thing to do, and will squash more XSS bugs), you're going to have to deal with every place tojson is used, in a script, which is now going to need an explicit "|safe". There's no perfect answer, but I'd lean towards following what the documentation always claimed it did, and save yourself the huge breakage you're going to experience any time someone runs with autoescape enabled (which is your stated future default). |
It was also introduced very recently in 2.9, so it feels ok to fix this to match the documented behavior in 2.9-maintenance. |
Expected Behavior
From the jinja docs:
"Note that this is available in templates through the |tojson filter which will also mark the result as safe. "
Actual Behavior
tojson doesn't seem to be marking the output as safe, so if we establish the jinja
environment with autoescape enabled, and then use tojson, we must add "|safe"
at the end.
Your Environment
The text was updated successfully, but these errors were encountered: