#17419: JSON template tag -----------------------------------+------------------------------------- Reporter: lau | Owner: aaugustin Type: New feature | Status: new Component: Template system | Version: master Severity: Normal | Resolution: Keywords: json template tag | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -----------------------------------+-------------------------------------
Comment (by aaugustin): Custom JSON encoders will only be called if the default JSON encoder can't process some data. Since the default encoder can process strings, custom encoders don't resolve our problem. I've also tried recursively escaping the value before passing it to the JSON encoder (see attached patch), but it's still insecure :( {{{ >>> from django.template import * >>> Template('{{ data|json }}').render(Context({'data': '<>'})) u'"<>"' }}} {{{ >>> class NastyInt(int): ... def __str__(self): ... return '</script><script>alert("%d");' % self ... >>> Template('{{ data|json }}').render(Context({'data': NastyInt(42)})) u'</script><script>alert("42");' }}} Of course, this is an edge case, but we can't compromise on security. -- Ticket URL: <https://code.djangoproject.com/ticket/17419#comment:17> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.