Make tojson always safe (fix #709)

author Ayala Shachar <shachar.ayala@gmail.com>

Tue, 23 May 2017 17:24:52 +0000 (10:24 -0700)

committer David Lord <davidism@gmail.com>

Tue, 23 May 2017 20:44:16 +0000 (13:44 -0700)
author Ayala Shachar <shachar.ayala@gmail.com>
Tue, 23 May 2017 17:24:52 +0000 (10:24 -0700)
committer David Lord <davidism@gmail.com>
Tue, 23 May 2017 20:44:16 +0000 (13:44 -0700)
diff --git a/jinja2/utils.py b/jinja2/utils.py

index b96d30954607ae6333fe2c935949537deefc10d7..40c87ff4f007b1cc7b331e453c1cdec3e041fc80 100644 (file)
--- a/jinja2/utils.py
+++ b/jinja2/utils.py
@@ -567,7 +567,7 @@ def htmlsafe_json_dumps(obj, dumper=None, **kwargs):
          .replace(u'>', u'\\u003e') \
          .replace(u'&', u'\\u0026') \
          .replace(u"'", u'\\u0027')
-    return rv
+    return Markup(rv)
  
  
  @implements_iterator
diff --git a/tests/test_filters.py b/tests/test_filters.py

index 318a347c450d9557318ff7fa328145031f46c66c..ff941832dd1c58144f20a733ff7d93bcf926ad50 100644 (file)
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@@ -580,8 +580,9 @@ class TestFilter(object):
      def test_json_dump(self):
          env = Environment(autoescape=True)
          t = env.from_string('{{ x|tojson }}')
-        assert t.render(x={'foo': 'bar'}) == '{&#34;foo&#34;: &#34;bar&#34;}'
-        assert t.render(x='"bar\'') == r'&#34;\&#34;bar\u0027&#34;'
+        assert t.render(x={'foo': 'bar'}) == '{"foo": "bar"}'
+        assert t.render(x='"ba&r\'') == r'"\"ba\u0026r\u0027"'
+        assert t.render(x='<bar>') == r'"\u003cbar\u003e"'
  
          def my_dumps(value, **options):
              assert options == {'foo': 'bar'}
author	Ayala Shachar <shachar.ayala@gmail.com>
	Tue, 23 May 2017 17:24:52 +0000 (10:24 -0700)
committer	David Lord <davidism@gmail.com>
	Tue, 23 May 2017 20:44:16 +0000 (13:44 -0700)
jinja2/utils.py		patch \| blob \| blame \| history
tests/test_filters.py		patch \| blob \| blame \| history