tojson no longer escapes script blocks in HTML5 parsers. Fixed #605

CHANGES

@@ -14,6 +14,7 @@ Release date to be decided.
 - Added ``template_test`` methods in addition to the already existing
   ``template_filter`` method family.
 - Set the content-length header for x-sendfile.
+- ``tojson`` filter now does not escape script blocks in HTML5 parsers.
 
 Version 0.9
 -----------

flask/helpers.py

@@ -45,11 +45,13 @@ from .globals import session, _request_ctx_stack, _app_ctx_stack, \
 
 # figure out if simplejson escapes slashes.  This behavior was changed
 # from one version to another without reason.
-if '\\/' not in json.dumps('/'):
+_slash_escape = '\\/' not in json.dumps('/')
-    def _tojson_filter(*args, **kwargs):
+
-        return json.dumps(*args, **kwargs).replace('/', '\\/')
+def _tojson_filter(*args, **kwargs):
-else:
+    rv = json.dumps(*args, **kwargs)
-    _tojson_filter = json.dumps
+    if _slash_escape:
+        rv = rv.replace('/', '\\/')
+    return rv.replace('<!', '<\\u0021')
 
 
 # sentinel

flask/testsuite/helpers.py

@@ -97,6 +97,8 @@ class JSONTestCase(FlaskTestCase):
             self.assert_equal(rv, '"<\\/script>"')
             rv = render('{{ "<\0/script>"|tojson|safe }}')
             self.assert_equal(rv, '"<\\u0000\\/script>"')
+            rv = render('{{ "<!--<script>"|tojson|safe }}')
+            self.assert_equal(rv, '"<\\u0021--<script>"')
 
     def test_modified_url_encoding(self):
         class ModifiedRequest(flask.Request):