Patchwork [4,of,4,V2] encoding: backport paranoid escaping from templatefilters.jsonescape()

login
register
mail settings
Submitter Yuya Nishihara
Date Feb. 9, 2016, 3:40 p.m.
Message ID <1af88ccc2eca3e2484f9.1455032419@mimosa>
Download mbox | patch
Permalink /patch/13062/
State Accepted
Headers show

Comments

Yuya Nishihara - Feb. 9, 2016, 3:40 p.m.
# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1451213891 -32400
#      Sun Dec 27 19:58:11 2015 +0900
# Node ID 1af88ccc2eca3e2484f982b9d7a3752cda91ce8e
# Parent  16123be761e3f990f7e112be88cc73f9d21893b7
encoding: backport paranoid escaping from templatefilters.jsonescape()

This was introduced by 55c763926a28. It is required to embed JSON data in
HTML page. Convince yourself here:

http://escape.alf.nu/1
Pierre-Yves David - Feb. 12, 2016, 12:03 p.m.
On 02/09/2016 03:40 PM, Yuya Nishihara wrote:
> # HG changeset patch
> # User Yuya Nishihara <yuya@tcha.org>
> # Date 1451213891 -32400
> #      Sun Dec 27 19:58:11 2015 +0900
> # Node ID 1af88ccc2eca3e2484f982b9d7a3752cda91ce8e
> # Parent  16123be761e3f990f7e112be88cc73f9d21893b7
> encoding: backport paranoid escaping from templatefilters.jsonescape()

These looks fine by me. I would probably ping Matt about them since he 
reviewed all the previous json encode related work from yuya but Matt is 
not around this week.

I'm confident enough in this series so I've it pushed to the 
clowncopter, adding Matt in CC so that he pay closer attention to it 
while reviewing clowncopter content.

Cheers,

Patch

diff --git a/mercurial/encoding.py b/mercurial/encoding.py
--- a/mercurial/encoding.py
+++ b/mercurial/encoding.py
@@ -391,6 +391,8 @@  class normcasespecs(object):
 _jsonmap[0x0c] = '\\f'
 _jsonmap[0x0d] = '\\r'
 _paranoidjsonmap = _jsonmap[:]
+_paranoidjsonmap[0x3c] = '\\u003c'  # '<' (e.g. escape "</script>")
+_paranoidjsonmap[0x3e] = '\\u003e'  # '>'
 _jsonmap.extend(chr(x) for x in xrange(128, 256))
 
 def jsonescape(s, paranoid=False):
@@ -419,8 +421,8 @@  def jsonescape(s, paranoid=False):
     >>> jsonescape('')
     ''
 
-    If paranoid, non-ascii characters are also escaped. This is suitable for
-    web output.
+    If paranoid, non-ascii and common troublesome characters are also escaped.
+    This is suitable for web output.
 
     >>> jsonescape('escape boundary: \\x7e \\x7f \\xc2\\x80', paranoid=True)
     'escape boundary: ~ \\\\u007f \\\\u0080'
@@ -430,6 +432,8 @@  def jsonescape(s, paranoid=False):
     'utf-8: caf\\\\u00e9'
     >>> jsonescape('non-BMP: \\xf0\\x9d\\x84\\x9e', paranoid=True)
     'non-BMP: \\\\ud834\\\\udd1e'
+    >>> jsonescape('<foo@example.org>', paranoid=True)
+    '\\\\u003cfoo@example.org\\\\u003e'
     '''
 
     if paranoid: