Imply the |safe on tojson in templates and change escaping logic
This commit is contained in:
Armin Ronacher
parent
56d3b74488
commit
ef72b78042
7 changed files with 46 additions and 31 deletions
|
|
@ -364,7 +364,8 @@ JSON module:
|
|||
The :func:`~htmlsafe_dumps` function of this json module is also available
|
||||
as filter called ``|tojson`` in Jinja2. Note that inside `script`
|
||||
tags no escaping must take place, so make sure to disable escaping
|
||||
with ``|safe`` if you intend to use it inside `script` tags:
|
||||
with ``|safe`` if you intend to use it inside `script` tags unless
|
||||
you are using Flask 0.10 which implies that:
|
||||
|
||||
.. sourcecode:: html+jinja
|
||||
|
||||
|
|
@ -372,8 +373,6 @@ with ``|safe`` if you intend to use it inside `script` tags:
|
|||
doSomethingWith({{ user.username|tojson|safe }});
|
||||
</script>
|
||||
|
||||
Note that the ``|tojson`` filter escapes forward slashes properly.
|
||||
|
||||
.. autofunction:: jsonify
|
||||
|
||||
.. autofunction:: dumps
|
||||
|
|
|
|||
|
|
@ -63,9 +63,10 @@ like this:
|
|||
$SCRIPT_ROOT = {{ request.script_root|tojson|safe }};
|
||||
</script>
|
||||
|
||||
The ``|safe`` is necessary so that Jinja does not escape the JSON encoded
|
||||
string with HTML rules. Usually this would be necessary, but we are
|
||||
inside a `script` block here where different rules apply.
|
||||
The ``|safe`` is necessary in Flask before 0.10 so that Jinja does not
|
||||
escape the JSON encoded string with HTML rules. Usually this would be
|
||||
necessary, but we are inside a `script` block here where different rules
|
||||
apply.
|
||||
|
||||
.. admonition:: Information for Pros
|
||||
|
||||
|
|
@ -76,6 +77,10 @@ inside a `script` block here where different rules apply.
|
|||
escape slashes for you (``{{ "</script>"|tojson|safe }}`` is rendered as
|
||||
``"<\/script>"``).
|
||||
|
||||
In Flask 0.10 it goes a step further and escapes all HTML tags with
|
||||
unicode escapes. This makes it possible for Flask to automatically
|
||||
mark the result as HTML safe.
|
||||
|
||||
|
||||
JSON View Functions
|
||||
-------------------
|
||||
|
|
|
|||
|
|
@ -106,8 +106,8 @@ by Jinja2 itself:
|
|||
fly.
|
||||
|
||||
Note that inside `script` tags no escaping must take place, so make
|
||||
sure to disable escaping with ``|safe`` if you intend to use it inside
|
||||
`script` tags:
|
||||
sure to disable escaping with ``|safe`` before Flask 0.10 if you intend
|
||||
to use it inside `script` tags:
|
||||
|
||||
.. sourcecode:: html+jinja
|
||||
|
||||
|
|
@ -115,8 +115,6 @@ by Jinja2 itself:
|
|||
doSomethingWith({{ user.username|tojson|safe }});
|
||||
</script>
|
||||
|
||||
That the ``|tojson`` filter escapes forward slashes properly for you.
|
||||
|
||||
Controlling Autoescaping
|
||||
------------------------
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue