Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  closed
Component:  Template system|  Version:  master
 Severity:  Normal |   Resolution:  wontfix
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-

Comment (by aaugustin):

 Yes, I would do the former if user-controlled data is involved and the
 latter if the data is sufficiently simple and controlled that security
 isn't an issue.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/061.32a671eb524ef2c39761184d25f83c78%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  closed
Component:  Template system|  Version:  master
 Severity:  Normal |   Resolution:  wontfix
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-

Comment (by abhillman):

 Replying to [comment:18 aaugustin]:
 > I've finally changed my mind on this ticket. There's a good reason why
 it isn't recommended to just include raw JSON data in the HTML: it's
 
[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
 extremely hard to prevent XSS] unless you enforce other rules about the
 context, and this isn't under the control of Django.
 >
 > It's obviously possible to solve the problem for particular use cases
 with controlled data. In such cases, the implementation only takes a few
 lines (see the first patch on this ticket). However, it appears very hard
 to provide a general `|json` filter that will be safe in all contexts.
 >
 > If you think you have a working implementation, please submit it on the
 mailing list. I'll expect strong evidence that it's secure :)

 This is a pretty old ticket. But out of curiosity, how would you deal with
 this kind of situation, Aymeric? That is, binding some data to a
 JavaScript variable. Just create an API endpoint to grab data via ajax and
 bind it to a variable there? Create a template tag for your own usage
 given that you are aware of its potential security issues?

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/061.ed066679fda0fe90bf249b010769f9a1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  closed
Component:  Template system|  Version:  master
 Severity:  Normal |   Resolution:  wontfix
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-

Comment (by jrief):

 Sorry for adding my two cents to this ticket, 3 years after it has been
 set to ''wontfix'', but for real projects such a filter still is an issue
 and often required. And since there is no solution out-of-the-box,
 programmers start to implement their own stuff, which then is vulnerable
 to exactly the XSS attacks you're referring to. For instance here:
 https://github.com/divio/django-
 cms/blob/develop/cms/templatetags/cms_js_tags.py#L14.

 Therefore I started to rethink about this problem and came to a solution
 which seems to be secure; at least I was unable to inject malicious code
 into this JSON filter. Please have a look at my attached implementation.

 One thing to note here: If someone pushes data through this filter marked
 as safe (using {{{mark_safe}}}), then of course XSS attacks are possible,
 but this is intentional misbehavior if applied to non-validated content.
 All other Python lists, dicts and strings (in my opinion) are safe when
 pushed through this filter.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/061.bf9fee7c1215a0c761d709679c34548a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  closed
Component:  Template system|  Version:  master
 Severity:  Normal |   Resolution:  wontfix
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by aaugustin):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 I've finally changed my mind on this ticket. There's a good reason why it
 isn't recommended to just include raw JSON data in the HTML: it's
 
[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
 extremely hard to prevent XSS] unless you enforce other rules about the
 context, and this isn't under the control of Django.

 It's obviously possible to solve the problem for particular use cases with
 controlled data. In such cases, the implementation only takes a few lines
 (see the first patch on this ticket). However, it appears very hard to
 provide a general `|json` filter that will be safe in all contexts.

 If you think you have a working implementation, please submit it on the
 mailing list. I'll expect strong evidence that it's secure :)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  master
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-

Comment (by aaugustin):

 Custom JSON encoders will only be called if the default JSON encoder can't
 process some data. Since the default encoder can process strings, custom
 encoders don't resolve our problem.

 I've also tried recursively escaping the value before passing it to the
 JSON encoder (see attached patch), but it's still insecure :(

 {{{
 >>> from django.template import *
 >>> Template('{{ data|json }}').render(Context({'data': '<>'}))
 u'""'
 }}}

 {{{
 >>> class NastyInt(int):
 ... def __str__(self):
 ... return 'alert("%d");' % self
 ...
 >>> Template('{{ data|json }}').render(Context({'data': NastyInt(42)}))
 

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  master
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by aaugustin):

 * stage:  Design decision needed => Accepted


Comment:

 It's hard to prove that this technique is secure...

 We could achieve a similar effect with a custom JSON encode that only
 escapes strings. I'm going to write a patch.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
-+-
 Reporter:  lau  |Owner:  aaugustin
 Type:  New feature  |   Status:  new
Component:  Template system  |  Version:  SVN
 Severity:  Normal   |   Resolution:
 Keywords:  json template tag| Triage Stage:  Design
Has patch:  1|  decision needed
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-

Comment (by carbonXT):

 It's a bit hacky, but we might be able to use JSONEncoder.iterencode to
 escape only the string data in the json object. Proof of concept:


 {{{
 from django.utils import simplejson
 from django.utils.html import escape

 def encode_as_escaped_json(obj):
 result = ''
 for part in simplejson.JSONEncoder().iterencode(obj):
 if part[0:3] == ', "':
 result += ', "' + escape(part[3:-1]) + '"'
 elif part[0] == '"':
 result += '"' + escape(part[1:-1]) + '"'
 else:
 result += part
 return result

 if __name__ == '__main__':
 my_obj = [
 {'k1': 'Attack!', 'k2': 42},
 'e"eer',
 'More 

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
-+-
 Reporter:  lau  |Owner:  aaugustin
 Type:  New feature  |   Status:  new
Component:  Template system  |  Version:  SVN
 Severity:  Normal   |   Resolution:
 Keywords:  json template tag| Triage Stage:  Design
Has patch:  1|  decision needed
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by aaugustin):

 * easy:  1 => 0
 * stage:  Accepted => Design decision needed


Comment:

 When the output isn't marked safe, indeed, `{{ foobar|json }}` will fail
 whenever `foobar` contains strings. But I don't think Django can or should
 do something about this fact. If the output were arbitrarily (and wrongly)
 marked safe, that would defeat Django's anti-XSS protection.

 Let's just try this with some interesting values of `a`:
 {{{
 var a = {{ a|json }};
 }}}

 For instance:
 {{{
 var a =
 "fooalert('pwnd!');bar;"
 }}}

 Wrapping with CDATA doesn't help:
 {{{
 alert('pwnd!');
 }}}

 Per the "Don't Give Users Guns Aimed At Feet", this isn't possible.

 

 So I hesitate between two alternatives at this point:
 - add the filter with safety-by-default, and explain in the docs that if
 you have a problem with quotes being escaped, you should use another
 technique — like loading the data via AJAX — or carefully escape all the
 strings that end up in you data structure and add `|safe` in your
 template.
 - not add the filter at all, because the only implementation we can afford
 (the safe one) isn't useful enough.

 What do you think?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+-
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  SVN
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+-
Changes (by neaf):

 * version:  1.4-alpha-1 => SVN


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+---
Changes (by aaugustin):

 * stage:  Ready for checkin => Accepted


Comment:

 This ticket is assigned to me because I'm currently working on it... It's
 recommended to ping the owner of a ticket before taking it over, to avoid
 duplicate work...

 This is a new feature and we're about to release 1.4 beta, so I can't
 commit it now

 Unless the other core devs have more objections than expected, I'll commit
 it for 1.5.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
-+-
 Reporter:  lau  |Owner:  aaugustin
 Type:  New feature  |   Status:  new
Component:  Template system  |  Version:
 Severity:  Normal   |  1.4-alpha-1
 Keywords:  json template tag|   Resolution:
Has patch:  1| Triage Stage:  Ready for
  Needs tests:  0|  checkin
Easy pickings:  1|  Needs documentation:  0
 |  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by cypreess):

 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+---
Changes (by neaf):

 * stage:  Ready for checkin => Accepted


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
-+-
 Reporter:  lau  |Owner:  aaugustin
 Type:  New feature  |   Status:  new
Component:  Template system  |  Version:
 Severity:  Normal   |  1.4-alpha-1
 Keywords:  json template tag|   Resolution:
Has patch:  1| Triage Stage:  Ready for
  Needs tests:  0|  checkin
Easy pickings:  1|  Needs documentation:  0
 |  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by neaf):

 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+---

Comment (by olau):

 Sounds nice that it's going in, but playing it safe isn't necessarily that
 helpful. {{{escape}}} turns " into {{{}}}, which means you can't
 output a string in that JSON without {{{safe}}} - including a simple
 object like {{{ { "a": 123 .

 I've tested a simple
 {{{
 
 var x = "foo";
 
 }}}
 with both an HTML5 doctype an XHTML 1 strict doctype, and it doesn't work
 in any of them. So it seems to me this filter is never useful in script
 tags without {{{safe}}}? It would perhaps be better to add a warning to
 the documentation?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  aaugustin
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+---
Changes (by aaugustin):

 * owner:  nobody => aaugustin


Comment:

 Thanks for updating the patch.

 This is a new feature, so I need to check if I can slip it in 1.4 now or
 if it'll have to wait for 1.5. Anyway, I intend to commit it eventually,
 as I've felt the need for such a tag quite often.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  nobody
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+---
Changes (by carbonXT):

 * needs_better_patch:  1 => 0


Comment:

 > Not everyone adds CDATA markers to its 

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  nobody
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  1  |UI/UX:  0
---+---
Changes (by aaugustin):

 * needs_better_patch:  0 => 1


Comment:

 I don't believe marking the output as safe by default is the right thing
 to do.

 Not everyone adds CDATA markers to its 

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+---
 Reporter:  lau|Owner:  nobody
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.4-alpha-1
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+---
Changes (by carbonXT):

 * needs_docs:  1 => 0
 * version:  1.3 => 1.4-alpha-1
 * needs_tests:  1 => 0


Comment:

 I've uploaded a patch that applies cleanly to trunk that contains the new
 filter, tests, and documentation.

 Would be great to get this into 1.4 - let me know if you need any
 additions/changes in order to accept it. Thanks.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+
 Reporter:  lau|Owner:  nobody
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.3
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  1
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+
Changes (by carbonXT):

 * cc: mike@… (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+
 Reporter:  lau|Owner:  nobody
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.3
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  1
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  1  |UI/UX:  0
---+
Changes (by aaugustin):

 * needs_docs:  0 => 1
 * needs_tests:  0 => 1
 * easy:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
---+
 Reporter:  lau|Owner:  nobody
 Type:  New feature|   Status:  new
Component:  Template system|  Version:  1.3
 Severity:  Normal |   Resolution:
 Keywords:  json template tag  | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by aaugustin):

 * needs_better_patch:   => 0
 * stage:  Unreviewed => Accepted
 * needs_tests:   => 0
 * needs_docs:   => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #17419: JSON template tag

[Django]

#17419: JSON template tag
-+---
 Reporter:  lau  |  Owner:  nobody
 Type:  New feature  | Status:  new
Component:  Template system  |Version:  1.3
 Severity:  Normal   |   Keywords:  json template tag
 Triage Stage:  Unreviewed   |  Has patch:  1
Easy pickings:  0|  UI/UX:  0
-+---
 It's nice to be able to quickly make Python lists and dictionaries into
 JSON. The normal way of doing this is to dump the data structure as JSON
 in the view and then outputting the JSON within a script tag in the
 template, remembering to pipe it through safe. This little addition to
 Django would streamline that process.

 It lets you do this:
 {{{
 
   var data = {{ data|json }};
 
 }}}

 Instead of:
 {{{
 views.py:

 from django.utils import simplejson

 def home(request):
   data = {'hello: ['world', 'universe']}
   return render_to_response("home.html", {
 'data': simplejson.dumps(data),
 }, context_instance=get_context(request))


 home.html:

 
   var data = {{ data|safe }};
 

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.