Clarify and add detail to tojson docs

Fix some confusing and obsolete prose.

docs/api.rst

@@ -312,10 +312,10 @@ JSON module:
     as string.
 
 The :func:`~htmlsafe_dumps` function of this json module is also available
-as filter called ``|tojson`` in Jinja2.  Note that inside ``script``
-tags no escaping must take place, so make sure to disable escaping
-with ``|safe`` if you intend to use it inside ``script`` tags unless
-you are using Flask 0.10 which implies that:
+as a filter called ``|tojson`` in Jinja2.  Note that in versions of Flask prior
+to Flask 0.10, you must disable escaping with ``|safe`` if you intend to use
+``|tojson`` output inside ``script`` tags. In Flask 0.10 and above, this
+happens automatically (but it's harmless to include ``|safe`` anyway).
 
 .. sourcecode:: html+jinja
 

docs/templating.rst

@@ -110,16 +110,25 @@ by Jinja2 itself:
    is for example very helpful if you try to generate JavaScript on the
    fly.
 
-   Note that inside ``script`` tags no escaping must take place, so make
-   sure to disable escaping with ``|safe`` before Flask 0.10 if you intend
-   to use it inside ``script`` tags:
-
    .. sourcecode:: html+jinja
 
        <script type=text/javascript>
-           doSomethingWith({{ user.username|tojson|safe }});
+           doSomethingWith({{ user.username|tojson }});
        </script>
 
+   It is also safe to use the output of `|tojson` in a *single-quoted* HTML
+   attribute:
+
+   .. sourcecode:: html+jinja
+
+       <button onclick='doSomethingWith({{ user.username|tojson }})'>
+           Click me
+       </button>
+
+   Note that in versions of Flask prior to 0.10, if using the output of
+   ``|tojson`` inside ``script``, make sure to disable escaping with ``|safe``.
+   In Flask 0.10 and above, this happens automatically.
+
 Controlling Autoescaping
 ------------------------