This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 11821c791 [#8473] use jinja tojson instead of our own
11821c791 is described below
commit 11821c791c31684ce85555423e6c6ec4b438e001
Author: Dave Brondsema <[email protected]>
AuthorDate: Tue Oct 11 15:07:04 2022 -0400
[#8473] use jinja tojson instead of our own
---
Allura/allura/ext/admin/templates/project_admin.html | 2 +-
Allura/allura/ext/admin/templates/project_install_tool.html | 2 +-
Allura/allura/lib/helpers.py | 8 +++++---
Allura/allura/templates/jinja_master/top_nav.html | 2 +-
Allura/allura/templates_responsive/jinja_master/top_nav.html | 2 +-
Allura/allura/tests/test_helpers.py | 2 +-
.../templates/tracker_widgets/ticket_search_results.html | 2 +-
7 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/Allura/allura/ext/admin/templates/project_admin.html
b/Allura/allura/ext/admin/templates/project_admin.html
index 3633fc883..fafdc2628 100644
--- a/Allura/allura/ext/admin/templates/project_admin.html
+++ b/Allura/allura/ext/admin/templates/project_admin.html
@@ -121,7 +121,7 @@
{% block extra_js %}
<script>
$(function() {
- var tour = {{ h.escape_json(tour)|safe }};
+ var tour = {{ tour|tojson }};
tour.onError = function() {
var step = hopscotch.getCurrStepNum();
console.warn('Error on tour step #', step, tour.steps[step]);
diff --git a/Allura/allura/ext/admin/templates/project_install_tool.html
b/Allura/allura/ext/admin/templates/project_install_tool.html
index b3e577d7f..556471e40 100644
--- a/Allura/allura/ext/admin/templates/project_install_tool.html
+++ b/Allura/allura/ext/admin/templates/project_install_tool.html
@@ -79,7 +79,7 @@
<script>
- var _existingMountPoints = {{ h.escape_json(existing_mount_points)|safe }};
+ var _existingMountPoints = {{ existing_mount_points|tojson }};
$('#admin_modal_title').hide();
var mount_point = $('#id_url_input');
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index 77523e856..2efce7911 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -58,7 +58,7 @@ from formencode.variabledecode import variable_decode
import formencode
from markupsafe import Markup
from jinja2.filters import escape, do_filesizeformat
-from jinja2.utils import pass_context
+from jinja2.utils import pass_context, htmlsafe_json_dumps
from paste.deploy.converters import asbool, aslist, asint
from webhelpers2 import date, text
from webob.exc import HTTPUnauthorized
@@ -153,8 +153,10 @@ def make_safe_path_portion(ustr, relaxed=True):
return s
-def escape_json(data):
- return json.dumps(data).replace('<', '\\u003C')
+def escape_json(data) -> str:
+ # Templates should use `|tojson` instead of this
+ return str(htmlsafe_json_dumps(data)) # str() to keep previous behavior
of being str, not MarkupSafe
+
def querystring(request, url_params):
"""
diff --git a/Allura/allura/templates/jinja_master/top_nav.html
b/Allura/allura/templates/jinja_master/top_nav.html
index 980f4ef36..53923c1d5 100644
--- a/Allura/allura/templates/jinja_master/top_nav.html
+++ b/Allura/allura/templates/jinja_master/top_nav.html
@@ -53,7 +53,7 @@
<script>
'use strict';
/*global ReactDOM, React, Main, ToggleAddNewTool */
- var _data = {{ h.escape_json(c.project.nav_data(admin_options=True,
navbar_entries=navbar_entries))|safe }};
+ var _data = {{ c.project.nav_data(admin_options=True,
navbar_entries=navbar_entries)|tojson }};
$(document).ready(function () {
$('#toggle-admin-btn').click(function () {
if (typeof Main === 'undefined') {
diff --git a/Allura/allura/templates_responsive/jinja_master/top_nav.html
b/Allura/allura/templates_responsive/jinja_master/top_nav.html
index 0627272c2..36e2f21ae 100644
--- a/Allura/allura/templates_responsive/jinja_master/top_nav.html
+++ b/Allura/allura/templates_responsive/jinja_master/top_nav.html
@@ -53,7 +53,7 @@
<script>
'use strict';
/*global ReactDOM, React, Main, ToggleAddNewTool */
- var _data = {{ h.escape_json(c.project.nav_data(admin_options=True,
navbar_entries=navbar_entries))|safe }};
+ var _data = {{ c.project.nav_data(admin_options=True,
navbar_entries=navbar_entries)|tojson }};
$(document).ready(function () {
$('#toggle-admin-btn').click(function () {
if (typeof Main === 'undefined') {
diff --git a/Allura/allura/tests/test_helpers.py
b/Allura/allura/tests/test_helpers.py
index 650ba023f..16408b5d6 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -78,7 +78,7 @@ class TestMakeSafePathPortion(TestCase):
def test_escape_json():
inputdata = {"foo": "bar</script><img src=foobar onerror=alert(1)>"}
- outputsample = '{"foo": "bar\\u003C/script>\\u003Cimg src=foobar
onerror=alert(1)>"}'
+ outputsample = '{"foo": "bar\\u003c/script\\u003e\\u003cimg src=foobar
onerror=alert(1)\\u003e"}'
outputdata = h.escape_json(inputdata)
assert_equals(outputdata, outputsample)
diff --git
a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
index f57a4662e..308ac576c 100644
---
a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
+++
b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
@@ -129,7 +129,7 @@
{{widget.fields['page_list'].display(limit=limit, page=page, count=count)}}
<script type="text/javascript">
var q="{{query and h.urlquoteplus(query) or ''}}", count={{count}},
limit={{limit}}, page={{page}}, sort="{{sort if sort else ''}}";
- var filter = {{h.escape_json(filter or {})|safe}};
+ var filter = {{(filter or {})|tojson}};
</script>
</div>
{% block wiki_extra_css %}
