This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description
==============================================
escapejson function and django template filter
==============================================

**JSON is not javascript.** Many developers erroneously think that they can
just place the output of ``json.dumps(obj)`` inside ``<script>`` tags and be
good to go -- but this is dangerously vulnerable to cross-site scripting
attacks from 2 important edge cases for how JSON differs from javscript: (1)
the handling of a literal ``</script>`` within script blocks, and (2) the
behavior of two pesky unicode whitespace characters.

This very simple library provides a function ``escapejson``, and a Django
template filter of the same name. The output of ``escapejson`` should be safe
for inclusion in HTML ``<script>`` tags, and interpretation directly as
javascript.

NOTE: this escaping is only "safe" if the input is a syntactically valid JSON
string. The output is NOT safe if you pass it invalid JSON, whether from
untrusted JSON input or from a broken encoder. This library does not validate
the correctness of the JSON it is fed. Always use a conformant JSON encoder
(e.g. ``json.dumps``) to ensure that the JSON is valid to start with.

Installation
============

::

pip install escapejson

Supports python 2.7 and 3.3+. Supports Django 1.7, 1.8, 1.9, 1.10. (Django not required).

Usage
=====

Example API usage (with or without Django)
-----------------------------------------
::

import json
from escapejson import escapejson

my_obj = {'message': '</script><script>alert("oh no!")</script>'}
my_str = json.dumps(myobj)
my_safe_str = escapejson(my_str)

Example Django templates usage
------------------------------

First, add ``"escapejson"`` to ``INSTALLED_APPS`` in your project's ``settings.py``.::

# settings.py
INSTALLED_APPS = [
...,
"escapejson",
...,
]


Then, use the ``escapejson`` library and filter::

{% load escapejson %}

<script>
var my_obj = {{obj_or_str|escapejson}};
</script>

This filter will attempt to JSON-encode any non-string object that is passed to it before
escaping, or just escape any string that is passed to it.


What it protects against
========================

</script> attacks
-----------------

Any string containing a literal ``</script>`` inside javascript within HTML
script tags will be interpreted by modern browsers as closing the script tag,
resulting at best in broken scripts and syntax errors, and at worst in
full-blown XSS. By escaping all ``/`` characters as ``\/`` (a valid optional
escape in the JSON spec), this is mitigated.

U+2028 and U+2029
-----------------

Two funky unicode whitespace characters count as valid JSON, but cause syntax
errors in javascript. This is mitigated by replacing the literal characters
with the strings ``\u2028`` and ``\u2029``.
[`reference <http: timelessrepo.com="" json-isnt-a-javascript-subset=""/>`_]
Release History

Release History

0.2

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
escapejson-0.2.tar.gz (4.7 kB) Copy SHA256 Checksum SHA256 Source Sep 9, 2016

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting