From: Ayala Shachar <shachar.ayala@gmail.com>
Date: Tue, 23 May 2017 17:24:52 +0000 (-0700)
Subject: Make tojson always safe (fix #709)
X-Git-Tag: 2.9.x~5^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f30bc8c4d6702a2e206fd8027443d2edafe4729;p=thirdparty%2Fjinja.git

Make tojson always safe (fix #709)
---

diff --git a/jinja2/utils.py b/jinja2/utils.py
index b96d3095..40c87ff4 100644
--- a/jinja2/utils.py
+++ b/jinja2/utils.py
@@ -567,7 +567,7 @@ def htmlsafe_json_dumps(obj, dumper=None, **kwargs):
         .replace(u'>', u'\\u003e') \
         .replace(u'&', u'\\u0026') \
         .replace(u"'", u'\\u0027')
-    return rv
+    return Markup(rv)
 
 
 @implements_iterator
diff --git a/tests/test_filters.py b/tests/test_filters.py
index 318a347c..ff941832 100644
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@@ -580,8 +580,9 @@ class TestFilter(object):
     def test_json_dump(self):
         env = Environment(autoescape=True)
         t = env.from_string('{{ x|tojson }}')
-        assert t.render(x={'foo': 'bar'}) == '{&#34;foo&#34;: &#34;bar&#34;}'
-        assert t.render(x='"bar\'') == r'&#34;\&#34;bar\u0027&#34;'
+        assert t.render(x={'foo': 'bar'}) == '{"foo": "bar"}'
+        assert t.render(x='"ba&r\'') == r'"\"ba\u0026r\u0027"'
+        assert t.render(x='<bar>') == r'"\u003cbar\u003e"'
 
         def my_dumps(value, **options):
             assert options == {'foo': 'bar'}