[Python-modules-commits] [python-django-jsonfield] 01/03: Import python-django-jsonfield_1.0.1.orig.tar.gz
Raphaël Hertzog
hertzog at moszumanska.debian.org
Thu Jul 21 08:48:29 UTC 2016
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch master
in repository python-django-jsonfield.
commit 0a81b60f9ee97095a6279e8f4b374e91edbfe820
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Thu Jul 21 10:41:29 2016 +0200
Import python-django-jsonfield_1.0.1.orig.tar.gz
---
PKG-INFO | 21 +++++++++++++++++++--
README.rst | 19 ++++++++++++++++++-
django_jsonfield.egg-info/PKG-INFO | 21 +++++++++++++++++++--
jsonfield/VERSION | 2 +-
jsonfield/fields.py | 17 +++++++++++++++++
jsonfield/templatetags/jsonify.py | 15 ++++++++++++++-
6 files changed, 88 insertions(+), 7 deletions(-)
diff --git a/PKG-INFO b/PKG-INFO
index 55f26fc..1f309ef 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: django-jsonfield
-Version: 1.0.0
+Version: 1.0.1
Summary: JSONField for django models
Home-page: http://bitbucket.org/schinckel/django-jsonfield/
Author: Matthew Schinckel
@@ -58,12 +58,29 @@ Description: django-jsonfield
{% load jsonify %}
<script>
- var foo = {{ bar|jsonify }};
+ var foo = {{ bar|jsonify|safe }};
</script>
+ Note that you must only use the "safe" filter when you use the jsonify
+ filter within a <script> tag (which is parsed like a CDATA section).
+
+ If you use it in some other places like in an HTML attribute, then
+ you must not use the safe filter so that its output is properly escaped::
+
+ <div data-foo="{{ bar|jsonify }}">
+
+ The above rules are important to avoid XSS attacks with unsafe strings
+ stored in the converted data structure.
+
History
----------
+ 1.0.1
+ ~~~~~~
+ Fix issue with Postgres JSONB fields.
+ Limit XSS attacks with jsonify template tag.
+
+
1.0.0
~~~~~
diff --git a/README.rst b/README.rst
index 34a58ac..46165ce 100644
--- a/README.rst
+++ b/README.rst
@@ -50,12 +50,29 @@ This allows you to convert a python data structure into JSON within a template::
{% load jsonify %}
<script>
- var foo = {{ bar|jsonify }};
+ var foo = {{ bar|jsonify|safe }};
</script>
+Note that you must only use the "safe" filter when you use the jsonify
+filter within a <script> tag (which is parsed like a CDATA section).
+
+If you use it in some other places like in an HTML attribute, then
+you must not use the safe filter so that its output is properly escaped::
+
+ <div data-foo="{{ bar|jsonify }}">
+
+The above rules are important to avoid XSS attacks with unsafe strings
+stored in the converted data structure.
+
History
----------
+1.0.1
+~~~~~~
+Fix issue with Postgres JSONB fields.
+Limit XSS attacks with jsonify template tag.
+
+
1.0.0
~~~~~
diff --git a/django_jsonfield.egg-info/PKG-INFO b/django_jsonfield.egg-info/PKG-INFO
index 55f26fc..1f309ef 100644
--- a/django_jsonfield.egg-info/PKG-INFO
+++ b/django_jsonfield.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: django-jsonfield
-Version: 1.0.0
+Version: 1.0.1
Summary: JSONField for django models
Home-page: http://bitbucket.org/schinckel/django-jsonfield/
Author: Matthew Schinckel
@@ -58,12 +58,29 @@ Description: django-jsonfield
{% load jsonify %}
<script>
- var foo = {{ bar|jsonify }};
+ var foo = {{ bar|jsonify|safe }};
</script>
+ Note that you must only use the "safe" filter when you use the jsonify
+ filter within a <script> tag (which is parsed like a CDATA section).
+
+ If you use it in some other places like in an HTML attribute, then
+ you must not use the safe filter so that its output is properly escaped::
+
+ <div data-foo="{{ bar|jsonify }}">
+
+ The above rules are important to avoid XSS attacks with unsafe strings
+ stored in the converted data structure.
+
History
----------
+ 1.0.1
+ ~~~~~~
+ Fix issue with Postgres JSONB fields.
+ Limit XSS attacks with jsonify template tag.
+
+
1.0.0
~~~~~
diff --git a/jsonfield/VERSION b/jsonfield/VERSION
index 3eefcb9..7dea76e 100644
--- a/jsonfield/VERSION
+++ b/jsonfield/VERSION
@@ -1 +1 @@
-1.0.0
+1.0.1
diff --git a/jsonfield/fields.py b/jsonfield/fields.py
index 551b6eb..befef2c 100644
--- a/jsonfield/fields.py
+++ b/jsonfield/fields.py
@@ -4,6 +4,7 @@ import json
from django.core.exceptions import ValidationError
from django.conf import settings
from django.db import models
+from django.db.backends.signals import connection_created
from django.utils.translation import ugettext_lazy as _
from django.utils import six
@@ -150,3 +151,19 @@ class TypedJSONField(JSONField):
else:
v(value)
+
+def configure_database_connection(connection, **kwargs):
+ if connection.vendor != 'postgresql':
+ return
+
+ # Ensure that psycopg does not do JSON decoding under the hood
+ # We want to be able to do our own decoding with our own options
+ import psycopg2.extras
+ if hasattr(psycopg2.extras, 'register_default_jsonb'):
+ psycopg2.extras.register_default_jsonb(
+ connection.connection,
+ globally=False,
+ loads=lambda x: x)
+
+
+connection_created.connect(configure_database_connection)
diff --git a/jsonfield/templatetags/jsonify.py b/jsonfield/templatetags/jsonify.py
index 8d94a6d..c7a562d 100644
--- a/jsonfield/templatetags/jsonify.py
+++ b/jsonfield/templatetags/jsonify.py
@@ -12,4 +12,17 @@ def jsonify(value):
# If we have a queryset, then convert it into a list.
if getattr(value, 'all', False):
value = list(value)
- return mark_safe(json.dumps(value, cls=TZAwareJSONEncoder))
+
+ json_str = json.dumps(value, cls=TZAwareJSONEncoder)
+
+ unsafe_chars = {
+ '&': '\\u0026',
+ '<': '\\u003c',
+ '>': '\\u003e',
+ '\u2028': '\\u2028',
+ '\u2029': '\\u2029',
+ }
+ for (unsafe, safe) in unsafe_chars.items():
+ json_str = json_str.replace(unsafe, safe)
+
+ return json_str
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django-jsonfield.git
More information about the Python-modules-commits
mailing list