#17419: JSON template tag
-----------------------------------+-------------------------------------
Reporter: lau | Owner: aaugustin
Type: New feature | Status: new
Component: Template system | Version: master
Severity: Normal | Resolution:
Keywords: json template tag | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+-------------------------------------
Comment (by aaugustin):
Custom JSON encoders will only be called if the default JSON encoder can't
process some data. Since the default encoder can process strings, custom
encoders don't resolve our problem.
I've also tried recursively escaping the value before passing it to the
JSON encoder (see attached patch), but it's still insecure :(
{{{
>>> from django.template import *
>>> Template('{{ data|json }}').render(Context({'data': '<>'}))
u'"<>"'
}}}
{{{
>>> class NastyInt(int):
... def __str__(self):
... return '</script><script>alert("%d");' % self
...
>>> Template('{{ data|json }}').render(Context({'data': NastyInt(42)}))
u'</script><script>alert("42");'
}}}
Of course, this is an edge case, but we can't compromise on security.
--
Ticket URL: <https://code.djangoproject.com/ticket/17419#comment:17>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
