jinja icon indicating copy to clipboard operation
jinja copied to clipboard
verified publisher icon pallets

Escape newlines for tojson filter as Django

Open ppfranco opened this issue 2 years ago • 0 comments

tojson filter escapes <, >, & and '. To avoid javascript injection in HTML <script> tags and data-* attributes, Django and other (e.g. Odoo) seems escaping also \u2028 and \u2029 (treated as newlines by some javascript engines, which may allow an attacker to begin a new javascript instruction). More info at https://code.djangoproject.com/ticket/17419#comment:27 See issue and commit in djangoproject.

Nowadays symbols are some more I think https://github.com/jonashaag/django/blob/master/django/utils/html.py#L54:

_js_escapes = {
    ord('\\'): '\\u005C',
    ord('\''): '\\u0027',
    ord('"'): '\\u0022',
    ord('>'): '\\u003E',
    ord('<'): '\\u003C',
    ord('&'): '\\u0026',
    ord('='): '\\u003D',
    ord('-'): '\\u002D',
    ord(';'): '\\u003B',
    ord('\u2028'): '\\u2028',
    ord('\u2029'): '\\u2029'
}

I saw only htmlsafe_json_dumps without knowing all Jinja codebase, however: sorry if already addressed or evaluated issue.

Thanks, Pp

ppfranco avatar Sep 01 '23 15:09 ppfranco