3.7.8 Add json_for_script function to remove unicode data and escape HTML and XML

cruz-evan · cruz-evan · commit 44a8be077d91 · 2019-06-10T15:10:49.000-03:00
-Similar implementation to Django 2.1 function json_script
-Fixes the problem where the upload button would not appear if the list had unicode data inside
diff --git a/filebrowser/templatetags/fb_tags.py b/filebrowser/templatetags/fb_tags.py
@@ -1,5 +1,4 @@
 # coding: utf-8
-
 from django import VERSION as DJANGO_VERSION
 from django import template
 from django.contrib.admin.templatetags.admin_static import static
@@ -8,7 +7,7 @@
 from django.utils.safestring import mark_safe
 
 from filebrowser.settings import EXTENSIONS, SELECT_FORMATS
-
+from filebrowser.utils import json_for_script
 
 register = template.Library()
 
@@ -155,7 +154,7 @@ def get_file_extensions(qs):
             for item in v:
                 if item:
                     extensions.append(item)
-    return mark_safe(extensions)
+    return json_for_script(extensions)
 
 
 # Django 1.9 auto escapes simple_tag unless marked as safe
diff --git a/filebrowser/utils.py b/filebrowser/utils.py
@@ -4,9 +4,12 @@
 import os
 import unicodedata
 import math
+import json
 
 from django.utils import six
 from django.utils.module_loading import import_string
+from django.utils.html import format_html
+from django.utils.safestring import mark_safe
 
 from filebrowser.settings import STRICT_PIL, NORMALIZE_FILENAME, CONVERT_FILENAME
 from filebrowser.settings import VERSION_PROCESSORS
@@ -19,6 +22,29 @@
     except ImportError:
         import Image
 
+_json_script_escapes = {
+    ord('>'): '\\u003E',
+    ord('<'): '\\u003C',
+    ord('&'): '\\u0026',
+}
+
+
+def json_for_script(value):
+    """
+    Implementation of json_script from Django 2.1
+    https://github.com/django/django/commit/8c709d79cbd1a7bb975f58090c17a1178a0efb80
+
+    If get_file_extensions is a list of unicode characters, JavaScript is unable to handle it and it will break upload.html
+    This will convert a list of unicode characters into a regular list, mark it safe, and will escape allthe HTML/XML special
+    characters with their unicode escapes
+    """
+    from django.core.serializers.json import DjangoJSONEncoder
+    json_str = json.dumps(value, cls=DjangoJSONEncoder)
+    return format_html(
+        '{}',
+        mark_safe(json_str)
+    )
+
 
 def convert_filename(value):
     """
