| 1 | from json import dumps
|
|---|
| 2 | from django import template
|
|---|
| 3 | from django.core.serializers.json import DjangoJSONEncoder
|
|---|
| 4 | from django.utils.html import format_html
|
|---|
| 5 | from django.utils.safestring import mark_safe
|
|---|
| 6 |
|
|---|
| 7 | register = template.Library()
|
|---|
| 8 |
|
|---|
| 9 |
|
|---|
| 10 | def escapejson(a):
|
|---|
| 11 | """
|
|---|
| 12 | This will escape all the HTML/XML special characters with their unicode
|
|---|
| 13 | escapes, so it is safe to be output anywhere except for inside a tag
|
|---|
| 14 | attribute.
|
|---|
| 15 | """
|
|---|
| 16 | json_str = dumps(a, cls=DjangoJSONEncoder)
|
|---|
| 17 |
|
|---|
| 18 | # Escape all the XML/HTML special characters.
|
|---|
| 19 | escapes = ['<', '>', '&']
|
|---|
| 20 | for c in escapes:
|
|---|
| 21 | json_str = json_str.replace(c, r'\u%04x' % ord(c))
|
|---|
| 22 |
|
|---|
| 23 | return mark_safe(json_str)
|
|---|
| 24 |
|
|---|
| 25 |
|
|---|
| 26 | @register.filter()
|
|---|
| 27 | def as_json_script(a, id=None):
|
|---|
| 28 | """
|
|---|
| 29 | This will wrap the escaped json in a script tag with id set accordingly.
|
|---|
| 30 | Other javascript can load the data using
|
|---|
| 31 | JSON.parse(document.getElementById("<id>").textContent)
|
|---|
| 32 | See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse
|
|---|
| 33 | """
|
|---|
| 34 |
|
|---|
| 35 | escaped = escapejson(a)
|
|---|
| 36 | if id:
|
|---|
| 37 | return format_html(
|
|---|
| 38 | '<script id="{}" type="application/json">{}</script>',
|
|---|
| 39 | id, escaped
|
|---|
| 40 | )
|
|---|
| 41 | else:
|
|---|
| 42 | return format_html(
|
|---|
| 43 | '<script type="application/json">{}</script>',
|
|---|
| 44 | escaped
|
|---|
| 45 | )
|
|---|
| 46 | as_json_script.is_safe = True
|
|---|