> On 14 Sep 2015, at 11:52, Florian Apolloner <[email protected]> wrote:
>
> Makes sense, depending on the actual parameters data attributes could make
> sense too for a few things. Oh, btw please do not handwrite JSON in
> templates, either do it in the view or use a filter to actually create JSON
> which then only needs to go through the autoescape filter I think (In that
> sense there is also not really a need for escapejs as far as I see it, but I
> might be wrong).
So I’ve had a go at this and I’ve come up against the how do you safely output
the json to the template without calling mark_safe problem. Having looked
around my solution is to output the json string with {{ json_string|escapejs
}}.
Then in the javascript call JSON.parse twice
JSON.parse(JSON.parse('"' + jsonString + '"'));
First parse wraps the json in quotes and returns the original unescaped string
which we can then turn into our data.
Because escapejs turns things into HEX codes which JSON.parse can easily
understand it is easy to decode but nice and safe to include in html. No chance
of closing script tags in the html output.
I’ve all of Florian’s other suggestions addressed, so next stage for me is to
create a pull request so someone can look at actual code and give feedback.
Give me another evening to figure that out.
James
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/8D1D86A4-6404-449C-8353-F053EBB43A6E%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
