Ticket #17419: 17419-insecure-do-not-use-this.patch

django/template/defaultfilters.py

@@ -1 +1 @@
 """Default variable filters."""
 
+import json
 import re
 import random as random_module
 import unicodedata
@@ -838 +839 @@
         return ugettext("%s TB") % filesize_number_format(bytes / (1024 * 1024 * 1024 * 1024))
     return ugettext("%s PB") % filesize_number_format(bytes / (1024 * 1024 * 1024 * 1024 * 1024))
 
+def _recursive_escape(value, esc=conditional_escape):
+    """Recursively escapes strings in an object.
+
+    Traverses dict, list and tuples. These are the data structures supported
+    by the JSON encoder.
+    """
+
+    if isinstance(value, dict):
+        return type(value)((esc(k), esc(v)) for (k, v) in value.iteritems())
+    elif isinstance(value, (list, tuple)):
+        return type(value)(esc(v) for v in value)
+    elif isinstance(value, (str, unicode)):
+        return esc(value)
+    elif isinstance(value, (int, long, float)) or value in (True, False, None):
+        return value
+    # We've exhausted all the types acceptable by the default JSON encoder.
+    # Django's improved JSON encoder handles a few other types, all of which
+    # are represented by strings. For these types, we apply JSON encoding
+    # immediately and then escape the result.
+    else:
+        # Importing this at the top level causes an import loop.
+        from django.core.serializers.json import DjangoJSONEncoder
+        return esc(DjangoJSONEncoder().default(value))
+
+@register.filter("json", needs_autoescape=True)
+def json_filter(value, autoescape=None):
+    """
+    Returns the JSON representation of the value.
+    """
+    try:
+        # Importing this at the top level causes an import loop.
+        from django.core.serializers.json import DjangoJSONEncoder
+        # If value contains custom subclasses of int, str, datetime, etc.
+        # arbitrary exceptions may be raised during escaping or serialization.
+        if autoescape:
+            value = _recursive_escape(value)
+        result = json.dumps(value, cls=DjangoJSONEncoder)
+    except Exception:
+        return ''
+    return mark_safe(result)
+
 @register.filter(is_safe=False)
 def pluralize(value, arg=u's'):
     """

docs/ref/templates/builtins.txt

@@ -1602 +1602 @@
 If ``value`` is the list ``['a', 'b', 'c']``, the output will be the string
 ``"a // b // c"``.
 
+.. templatefilter:: json
+
+json
+^^^^
+
+.. versionadded:: 1.5
+
+Converts a Python data structure into a JSON string.
+
+For example::
+
+    {{ value|json }}
+
+If ``value`` is the Python dict ``{u'hello': (u'world', u'wide')}``, the
+output will be the string ``'{"hello": ["world", "wide"]}'``.
+
 .. templatefilter:: last
 
 last

docs/releases/1.5.txt

@@ -33 +33 @@
 What's new in Django 1.5
 ========================
 
+``json`` template filter
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+This new filter turns an arbitrary Python object into a JSON string. It's
+handy to pass data to JavaScript without resorting to an AJAX call. It's also
+useful when both your HTML and your JavaScript use the same data, for instance
+when you're displaying a graph and the corresponding data table. See the
+documentation for :tfilter:`json` for more information.
+
 Minor features
 ~~~~~~~~~~~~~~
 

tests/regressiontests/templates/filters.py

@@ -106 +106 @@
         'filter-lower01': ("{% autoescape off %}{{ a|lower }} {{ b|lower }}{% endautoescape %}", {"a": "Apple & banana", "b": mark_safe("Apple & banana")}, u"apple & banana apple & banana"),
         'filter-lower02': ("{{ a|lower }} {{ b|lower }}", {"a": "Apple & banana", "b": mark_safe("Apple & banana")}, u"apple & banana apple & banana"),
 
+        # The output of "json" is escaped according to the current
+        # autoescape setting
+        'filter-json01': ("{{ data|json }}", {"data": "</script><script>alert('spam');"}, u'"&lt;/script&gt;&lt;script&gt;alert(&#39;spam&#39;);"'),
+        'filter-json02': ("{% autoescape off %}{{ data|json }}{% endautoescape %}", {"data": "</script><script>alert('spam');"}, u'"</script><script>alert(\'spam\');"'),
+        'filter-json03': ("{{ data|json }}", {"data": Exception}, u''),
+
         # The make_list filter can destroy existing escaping, so the results are
         # escaped.
         'filter-make_list01': ("{% autoescape off %}{{ a|make_list }}{% endautoescape %}", {"a": mark_safe("&")}, u"[u'&']"),
@@ -336 +342 @@
         'join04': (r'{% autoescape off %}{{ a|join:" &amp; " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha &amp; beta & me'),
 
         # Test that joining with unsafe joiners don't result in unsafe strings (#11377)
-        'join05': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': ' & '}, 'alpha &amp; beta &amp; me'), 
-        'join06': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta &amp; me'), 
-        'join07': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': ' & ' }, 'alpha &amp; beta &amp; me'), 
-        'join08': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta &amp; me'), 
-        
+        'join05': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': ' & '}, 'alpha &amp; beta &amp; me'),
+        'join06': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta &amp; me'),
+        'join07': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': ' & ' }, 'alpha &amp; beta &amp; me'),
+        'join08': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta &amp; me'),
+
         'date01': (r'{{ d|date:"m" }}', {'d': datetime(2008, 1, 1)}, '01'),
         'date02': (r'{{ d|date }}', {'d': datetime(2008, 1, 1)}, 'Jan. 1, 2008'),
         #Ticket 9520: Make sure |date doesn't blow up on non-dates