tojson not marking items as safe per docs

[pleasantone]

Expected Behavior

From the jinja docs:

"Note that this is available in templates through the |tojson filter which will also mark the result as safe. "

Actual Behavior

tojson doesn't seem to be marking the output as safe, so if we establish the jinja
environment with autoescape enabled, and then use tojson, we must add "|safe"
at the end.

Your Environment

• Python version: 3.5.3
• Jinja version: 2.9.6

[davidism]

This seems like an easy fix, if you'd like to submit a pull request.

[pleasantone]

I think it just requires a Markup() around the results before returning, but I'm afraid to submit the request because I don't know all the comprehensive test cases you'd want to run it through, and I'd feel negligent submitting without fully testing. Sorry.

[davidism]

Don't worry, it's not that bad! Adding Markup around it, then making sure the existing test doesn't escape something since it should be safe now, should be fine.

[pleasantone]

I totally agree, it would make a great beginner fix for someone. Best!

…

On May 1, 2017, at 10:52 AM, David Lord ***@***.***> wrote: Don't worry, it's not that bad! Adding Markup around it, then making sure the existing test doesn't escape something, should be fine. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ThiefMaster]

This sounds like a backwards-incompatible change to me (just like it was in Flask, but at least Flask is pre-1.0).

If Jinja itself used to autoescape json data changing it means people need to add |forceescape whenever it's used outside script tags (e.g. in data attributes) or they'll be prone to XSS.

[pleasantone]

The documentation says it's only safe inside of scripts. So either it's a bug that it's not surrounded by Markup() and you have to deal with people who were misusing it, or it's a feature, in which case, when you folks do eventually make autoescape the default (which is a very sane thing to do, and will squash more XSS bugs), you're going to have to deal with every place tojson is used, in a script, which is now going to need an explicit "|safe".

There's no perfect answer, but I'd lean towards following what the documentation always claimed it did, and save yourself the huge breakage you're going to experience any time someone runs with autoescape enabled (which is your stated future default).

[davidism]

It was also introduced very recently in 2.9, so it feels ok to fix this to match the documented behavior in 2.9-maintenance.

[ayalash]

@davidism Can you please close this issue? You merged my PR for fixing it (#718)