I've used django-jsonify (https://pypi.python.org/pypi/django-jsonify/) in the the past for this successfully. I'm not certain of the security of the code since unfortunately I didn't have the time to do a proper audit, but it seemed to handle some common cases.
-- Michael Mior On Tuesday, May 13, 2014 6:03:43 AM UTC-4, David Evans wrote: > > There was some discussion previously (see > https://code.djangoproject.com/ticket/17419) of adding a JSON encoding > filter to Django. This was rejected as being impossible (or very difficult) > to do securely. However the requirement to embed JSON in an HTML page is > quite a common one, and it's easy to get wrong and create XSS > vulnerabilities. We should make it easy for people to do the right thing. > > I propose a ``json`` tag (implementation > here<https://gist.github.com/evansd/41ea9dfc90d87f6afde1>) > which outputs the entire script element as well as the JSON data. By > enforcing the context in which in the JSON is output, it's possible to > escape it securely. > > It would have two basic modes of operation. The first, and recommended, > one would look like this: > > {% json data id="initial-data" %} > > > and would produce HTML like this: > > <script type="application/json" id="initial-data"> > {"foo": "bar"} > </script> > > > The resulting data would be accessed in JavaScript like this: > > var el = document.getElementById('initial-data'); > var initialData = JSON.parse(el.textContent || el.innerText); > > > This is compatible with a strict Content Security Policy which prohibits > all in-page script execution and maintains a clean separation between > passive data and executable code. > > The second mode of operation would look like this: > > {% json data var="initialData" %} > > > and would produce HTML like this: > > > <script type="application/javascript"> > var initialData = {"foo": "bar"}; > </script> > > > This isn't compatible with strict CSP but it is perhaps simpler and more > familiar to many developers, and not fundamentally insecure, so it should > still be supported. > > Of course, the key issue is whether this can be done securely. In the gist > below is a proposed implementation with links to the sources I've used to > ensure I'm escaping things correctly: > https://gist.github.com/evansd/41ea9dfc90d87f6afde1 > > If people are happy with it then I can create a proper pull request with > docs etc. > > Thanks, > > Dave > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/b47c4e41-a476-450b-a854-5f87f277224f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
