1. Michael Bayer
  2. mako
  3. Issues


Issue #229 new

json 'dumps' filter for creating javascript with mako

created an issue

I ran into some issues with Mako when trying to make javascript using the output of json.dumps

# in python
python_dict = { "hello" : """This is an example object I am using some 'single quotes' and "double quotes".""", }

usually i can just disable filtering in mako :

// in js template 
var payload = '${simplejson.dumps(python_dict)|n}';

unfortunately in this case the single-quotes break. we get this

// in js generated
var payload = '{"hello": "This is an example object I am using some 'single quotes' and \"double quotes\"."}'

this appears to work fine :

// in js template 
var payload = '${simplejson.dumps(python_dict).encode('string-escape')|n}';

which generates

// in js generated
var payload = {"hello": "This is an example object I am using some \'single quotes\' and \\"double quotes\\"."}

there are a handful of miscellaneous JS+Mako questions floating on StackOverflow and blogs... so i think it might be worthwhile to have an official json escaping method in mako templates.

Comments (4)

  1. Michael Bayer repo owner

    ${my_json | simplejson.dumps,repr,n} ?

    you can put whatever series of filters you want in ${}, if you're trying to get it to display flat in JS, the correct filters have to be worked out but I don't see why a packaged "json for the case of rendering javascript" (if that's what this is) has to be fully built in.

  2. Mads Kiilerich

    Note that you also need some html escaping - especially </script> if you are in html and more full xml escaping if you are in xhtml.

    AFAICS, it is wrong and dangerous to use |n, also on json dumps output.

    AFAICS, the simplest correct way to use json in templates is to put it in the dom as a dataset with the default safe html encoding (<div id="foo" data-foo="${json.dumps(data)}"></div>) and retrieve it from javascript (jQuery: $('#foo').data() ).

  3. jvanasco reporter

    KILLERIX that may apply if you are injecting untrusted, user generated data. those concerns are largely invalid if you are using this to render javascript that you fully control. there are no concerns if you are using mako to generate javascript files.

  4. Mads Kiilerich

    Yes, if all the json really is 100% independent of any user input then we don't have to escape any user input and any hack that works for all possible cases will be fine.

    It would however be very wrong if mako added an escape function that came with a "this will only work correctly for some input and is not secure" disclaimer. Correct and secure is two sides of the same thing.

    Anyway, I had not realized you were creating js files. I agree that it would be wrong to use html escape in js files and json.dumps,repr,n should be fine. Do you agree? Should this issue be closed or rephrased to a "please add a js file specific shortcut for that"?

    ps: Do your example miss surrounding single quotes in the last template output or should they be removed from the first ones? The missing semicolons in the outputs also seems a bit inconsistent/surprising.

  5. Log in to comment