#17419: JSON template tag -----------------------------------+------------------------------------- Reporter: lau | Owner: aaugustin Type: New feature | Status: closed Component: Template system | Version: master Severity: Normal | Resolution: wontfix Keywords: json template tag | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -----------------------------------+-------------------------------------
Comment (by jrief): Sorry for adding my two cents to this ticket, 3 years after it has been set to ''wontfix'', but for real projects such a filter still is an issue and often required. And since there is no solution out-of-the-box, programmers start to implement their own stuff, which then is vulnerable to exactly the XSS attacks you're referring to. For instance here: https://github.com/divio/django- cms/blob/develop/cms/templatetags/cms_js_tags.py#L14. Therefore I started to rethink about this problem and came to a solution which seems to be secure; at least I was unable to inject malicious code into this JSON filter. Please have a look at my attached implementation. One thing to note here: If someone pushes data through this filter marked as safe (using {{{mark_safe}}}), then of course XSS attacks are possible, but this is intentional misbehavior if applied to non-validated content. All other Python lists, dicts and strings (in my opinion) are safe when pushed through this filter. -- Ticket URL: <https://code.djangoproject.com/ticket/17419#comment:19> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/061.bf9fee7c1215a0c761d709679c34548a%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.