Escape newlines for tojson filter as Django
ppfranco opened this issue · comments
tojson
filter escapes <
, >
, &
and '
. To avoid javascript injection in HTML <script>
tags and data-*
attributes, Django and other (e.g. Odoo) seems escaping also \u2028
and \u2029
(treated as newlines by some javascript engines, which may allow an attacker to begin a new javascript instruction).
More info at https://code.djangoproject.com/ticket/17419#comment:27
See issue and commit in djangoproject.
Nowadays symbols are some more I think https://github.com/jonashaag/django/blob/master/django/utils/html.py#L54:
_js_escapes = {
ord('\\'): '\\u005C',
ord('\''): '\\u0027',
ord('"'): '\\u0022',
ord('>'): '\\u003E',
ord('<'): '\\u003C',
ord('&'): '\\u0026',
ord('='): '\\u003D',
ord('-'): '\\u002D',
ord(';'): '\\u003B',
ord('\u2028'): '\\u2028',
ord('\u2029'): '\\u2029'
}
I saw only htmlsafe_json_dumps
without knowing all Jinja codebase, however: sorry if already addressed or evaluated issue.
Thanks,
Pp