[PATCH 4 of 4 V2] encoding: backport paranoid escaping from templatefilters.jsonescape()

Yuya Nishihara yuya at tcha.org
Tue Feb 9 10:40:19 EST 2016


# HG changeset patch
# User Yuya Nishihara <yuya at tcha.org>
# Date 1451213891 -32400
#      Sun Dec 27 19:58:11 2015 +0900
# Node ID 1af88ccc2eca3e2484f982b9d7a3752cda91ce8e
# Parent  16123be761e3f990f7e112be88cc73f9d21893b7
encoding: backport paranoid escaping from templatefilters.jsonescape()

This was introduced by 55c763926a28. It is required to embed JSON data in
HTML page. Convince yourself here:

http://escape.alf.nu/1

diff --git a/mercurial/encoding.py b/mercurial/encoding.py
--- a/mercurial/encoding.py
+++ b/mercurial/encoding.py
@@ -391,6 +391,8 @@ class normcasespecs(object):
 _jsonmap[0x0c] = '\\f'
 _jsonmap[0x0d] = '\\r'
 _paranoidjsonmap = _jsonmap[:]
+_paranoidjsonmap[0x3c] = '\\u003c'  # '<' (e.g. escape "</script>")
+_paranoidjsonmap[0x3e] = '\\u003e'  # '>'
 _jsonmap.extend(chr(x) for x in xrange(128, 256))
 
 def jsonescape(s, paranoid=False):
@@ -419,8 +421,8 @@ def jsonescape(s, paranoid=False):
     >>> jsonescape('')
     ''
 
-    If paranoid, non-ascii characters are also escaped. This is suitable for
-    web output.
+    If paranoid, non-ascii and common troublesome characters are also escaped.
+    This is suitable for web output.
 
     >>> jsonescape('escape boundary: \\x7e \\x7f \\xc2\\x80', paranoid=True)
     'escape boundary: ~ \\\\u007f \\\\u0080'
@@ -430,6 +432,8 @@ def jsonescape(s, paranoid=False):
     'utf-8: caf\\\\u00e9'
     >>> jsonescape('non-BMP: \\xf0\\x9d\\x84\\x9e', paranoid=True)
     'non-BMP: \\\\ud834\\\\udd1e'
+    >>> jsonescape('<foo at example.org>', paranoid=True)
+    '\\\\u003cfoo at example.org\\\\u003e'
     '''
 
     if paranoid:


More information about the Mercurial-devel mailing list