Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.7.8 Add json_for_script function to remove unicode data and escape HTML and XML #55

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

3.7.8 Add json_for_script function to remove unicode data and escape HTML and XML #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
349218d
3.7.8 Add json_for_script function to remove unicode data and escape …
cruz-evan Sep 11, 2018
2aa42f4
3.7.8 Update failing test to use double quotes instead of single quotes
cruz-evan Jun 10, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions filebrowser/templatetags/fb_tags.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from django.utils.safestring import mark_safe

from filebrowser.settings import EXTENSIONS, SELECT_FORMATS

from filebrowser.utils import json_for_script

register = template.Library()

Expand Down Expand Up @@ -155,7 +155,7 @@ def get_file_extensions(qs):
for item in v:
if item:
extensions.append(item)
return mark_safe(extensions)
return json_for_script(extensions)


# Django 1.9 auto escapes simple_tag unless marked as safe
Expand Down
32 changes: 32 additions & 0 deletions filebrowser/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,15 @@
import os
import unicodedata
import math
import json

from six import iteritems

from django.core.serializers.json import DjangoJSONEncoder
from django.utils import six
from django.utils.module_loading import import_string
from django.utils.html import format_html
from django.utils.safestring import mark_safe

from filebrowser.settings import STRICT_PIL, NORMALIZE_FILENAME, CONVERT_FILENAME
from filebrowser.settings import VERSION_PROCESSORS
Expand All @@ -19,6 +25,32 @@
except ImportError:
import Image

_json_script_escapes = (
('>', '\\u003E'),
('<', '\\u003C'),
('&', '\\u0026'),
)


def json_for_script(value, encoder=DjangoJSONEncoder):
"""
Implementation of json_script from Django 2.1
https://github.com/django/django/commit/8c709d79cbd1a7bb975f58090c17a1178a0efb80

If get_file_extensions is a list of unicode characters, JavaScript is unable to handle it and it will break upload.html
This will convert a list of unicode characters into a regular list, mark it safe, and will escape allthe HTML/XML special
characters with their unicode escapes
"""
json_str = json.dumps(value, cls=encoder)

for bad_char, html_entity in _json_script_escapes:
json_str = json_str.replace(bad_char, html_entity)

return format_html(
'{}',
mark_safe(json_str)
)


def convert_filename(value):
"""
Expand Down
2 changes: 1 addition & 1 deletion tests/test_templatetags.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ def test_get_all(self):
def test_get_filtered(self):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cruz-evan If you unify this with the way the above test is written (as in our fork), then you don't need to worry about these small formatting differences. Probably it should use json.loads instead of eval, since this is the context wherein we hit the issue that necessitated this PR.

self.assertEqual(
get_file_extensions(QueryDict('type=image')),
"['.jpg', '.jpeg', '.gif', '.png', '.tif', '.tiff']"
"[\".jpg\", \".jpeg\", \".gif\", \".png\", \".tif\", \".tiff\"]"
)