encoding: backport paranoid escaping from templatefilters.jsonescape()
authorYuya Nishihara <yuya@tcha.org>
Sun, 27 Dec 2015 19:58:11 +0900
changeset 28069 b2d24c2898f9
parent 28068 9ece901f7a19
child 28070 a504794cee29
encoding: backport paranoid escaping from templatefilters.jsonescape() This was introduced by 55c763926a28. It is required to embed JSON data in HTML page. Convince yourself here: http://escape.alf.nu/1
mercurial/encoding.py
--- a/mercurial/encoding.py	Sun Dec 27 19:28:34 2015 +0900
+++ b/mercurial/encoding.py	Sun Dec 27 19:58:11 2015 +0900
@@ -391,6 +391,8 @@
 _jsonmap[0x0c] = '\\f'
 _jsonmap[0x0d] = '\\r'
 _paranoidjsonmap = _jsonmap[:]
+_paranoidjsonmap[0x3c] = '\\u003c'  # '<' (e.g. escape "</script>")
+_paranoidjsonmap[0x3e] = '\\u003e'  # '>'
 _jsonmap.extend(chr(x) for x in xrange(128, 256))
 
 def jsonescape(s, paranoid=False):
@@ -419,8 +421,8 @@
     >>> jsonescape('')
     ''
 
-    If paranoid, non-ascii characters are also escaped. This is suitable for
-    web output.
+    If paranoid, non-ascii and common troublesome characters are also escaped.
+    This is suitable for web output.
 
     >>> jsonescape('escape boundary: \\x7e \\x7f \\xc2\\x80', paranoid=True)
     'escape boundary: ~ \\\\u007f \\\\u0080'
@@ -430,6 +432,8 @@
     'utf-8: caf\\\\u00e9'
     >>> jsonescape('non-BMP: \\xf0\\x9d\\x84\\x9e', paranoid=True)
     'non-BMP: \\\\ud834\\\\udd1e'
+    >>> jsonescape('<foo@example.org>', paranoid=True)
+    '\\\\u003cfoo@example.org\\\\u003e'
     '''
 
     if paranoid: