Merge lp:~wgrant/lazr.restful/bug-684430 into lp:lazr.restful
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Robert Collins | ||||
Approved revision: | 190 | ||||
Merged at revision: | 188 | ||||
Proposed branch: | lp:~wgrant/lazr.restful/bug-684430 | ||||
Merge into: | lp:lazr.restful | ||||
Diff against target: |
79 lines (+12/-4) 5 files modified
setup.py (+1/-1) src/lazr/restful/NEWS.txt (+3/-0) src/lazr/restful/_resource.py (+2/-1) src/lazr/restful/docs/webservice.txt (+5/-1) versions.cfg (+1/-1) |
||||
To merge this branch: | bzr merge lp:~wgrant/lazr.restful/bug-684430 | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Collins (community) | Approve | ||
Review via email: mp+55678@code.launchpad.net |
Commit message
The webservice:json TALES function now produces HTML-escaping-
Description of the change
It is impossible to correctly insert the output of the webservice:json TALES function into a script tag in an HTML document. HTML (not XHTML) specifies <script>'s contents as CDATA, which doesn't expand entities but can be terminated by any closing tag. So you can't turn <, >, & into entities, as the JSON parser will see the undecoded entities. And if you don't escape them at all then malicious JSON can break out of the element. So we need to escape them some other way.
simplejson now provides a JSONEncoderForHTML, which replaces <, > and & with their corresponding Unicode escape sequences. Its output is resilient to escaping, allowing it to be safely inserted into a document.
I've changed ResourceJSONEncoder to inherit JSONEncoderForHTML instead of JSONEncoder. This is a little too broad: it will perform the extra escaping on content returned normally as application/json, not just text/html. But this is OK: the encodings are equivalent, decoding to identical strings. The only downsides are reduced readability and minor representation bloat.
JSONEncoderForHTML is new in simplejson 2.1.0, so I incremented the requirement.