ravi-patel/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

Fixed XSS problem by escaping all slashes in JSON.

Browse source 
This also probes simplejson first to figure out if it escapes slashes
which it did in earlier versions.
This commit is contained in:
Armin Ronacher 2010-04-20 15:12:16 +02:00
parent 268302fc68
commit 9f6bc93e4d
2 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tests/flask_tests.py
View file

@ -245,6 +245,8 @@ class JSONTestCase(unittest.TestCase):
with app.test_request_context():
rv = flask.render_template_string('{{ "</script>"|tojson|safe }}')
assert rv == '"<\\/script>"'
rv = flask.render_template_string('{{ "<\0/script>"|tojson|safe }}')
assert rv == '"<\\u0000\\/script>"'
class TemplatingTestCase(unittest.TestCase):