[PATCH 3 of 3] encoding: backport paranoid escaping from templatefilters.jsonescape()
Yuya Nishihara
yuya at tcha.org
Sat Jan 16 06:33:55 CST 2016
# HG changeset patch
# User Yuya Nishihara <yuya at tcha.org>
# Date 1451213891 -32400
# Sun Dec 27 19:58:11 2015 +0900
# Node ID a090fb7be0b0415289ca2b6666c5f0cd8d912496
# Parent b3b1bef76d54a4755a1b221a36b00253eefefd9a
encoding: backport paranoid escaping from templatefilters.jsonescape()
This was introduced by 55c763926a28. It shouldn't be necessary, but it would
prevent possible XSS vulnerabilities.
diff --git a/mercurial/encoding.py b/mercurial/encoding.py
--- a/mercurial/encoding.py
+++ b/mercurial/encoding.py
@@ -408,8 +408,8 @@ def jsonescape(s, paranoid=False):
>>> jsonescape('')
''
- If paranoid, non-ascii characters are also escaped. This is suitable for
- web output.
+ If paranoid, non-ascii and common troublesome characters are also escaped.
+ This is suitable for web output.
>>> jsonescape('escape boundary: \\x7e \\x7f \\xc2\\x80', paranoid=True)
'escape boundary: ~ \\\\u007f \\\\u0080'
@@ -419,6 +419,8 @@ def jsonescape(s, paranoid=False):
'utf-8: caf\\\\u00e9'
>>> jsonescape('non-BMP: \\xf0\\x9d\\x84\\x9e', paranoid=True)
'non-BMP: \\\\ud834\\\\udd1e'
+ >>> jsonescape('<foo at example.org>', paranoid=True)
+ '\\\\u003cfoo at example.org\\\\u003e'
'''
if not _jsonmap:
@@ -436,6 +438,8 @@ def jsonescape(s, paranoid=False):
_jsonmap['\f'] = '\\f'
_jsonmap['\r'] = '\\r'
_paranoidjsonmap.update(_jsonmap)
+ _paranoidjsonmap['<'] = '\\u003c'
+ _paranoidjsonmap['>'] = '\\u003e'
for x in xrange(128, 256):
c = chr(x)
_jsonmap[c] = c
More information about the Mercurial-devel
mailing list