is python's json.dumps output safe for javascript?
Question
I want to know if python's json.dumps method's output is safe for rendering directly into html/js script without escaping.
my_dict = {...}
my_dict_json_str = json.dumps(my_dict)
and then rendering this
<script>
var my_dict = {{my_dict_json_str}};
</script>
Does this work every time or are there some characters that will break it?
1 answers
solution1
3 ACCPTED 2018-11-28 15:39:03
json.dumps is not safe for html use without proper escaping.
>>> json.dumps({"one": "</script>"})
'{"one": "</script>"}'
This behaviour can break your html.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
JSON.stringify (Javascript) and json.dumps (Python) not equivalent on a list?
Hack json.dumps to output unquoted strings?
JSON response from Python json.dumps
JSON from python json.dumps to javascript JSON.parse() with escaped \"
Is there a way to use something equivalent to json.dumps in javascript
How to get rid of 'quot' in Python json.dumps
One of the json.dumps values is null
How to restore integers from my json.dumps file (for display in my javascript chart) when using Django
Django/JS: json.dumps and parse.json
json.dumps returns the objects as a string instead of a JSON object
Related Tags