Use JSONEncoderForHTML when preparing JSON fragments for pages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
William Grant | ||
lazr.restful |
Fix Released
|
Critical
|
William Grant |
Bug Description
When reviewing lp:~sinzui/launchpad/closed-teams-0 I said that we
should use JSONEncoderForHTML in preference to the default JSONEncoder
class in simplejson.
From http://
To embed JSON content in, say, a script tag on a web page, the
characters &, < and > should be escaped. They cannot be escaped with
the usual entities (e.g. &) because they are not expanded within
<script> tags.
However, in that review sinzui noted that we "cannot do this right now
because Lp is using 2.0.9".
It doesn't seem to be causing us any problems right now, but the
nature of the issue is such that it could be causing subtle problems
that we might ascribe to other things.
We should probably switch to using JSONEncoderForHTML everywhere we
prepare page fragments, create a simple helper to make it as easy to
use as simplejson.dumps() is, and publicise the change to the team.
Related branches
- Robert Collins (community): Approve
-
Diff: 79 lines (+12/-4)5 files modifiedsetup.py (+1/-1)
src/lazr/restful/NEWS.txt (+3/-0)
src/lazr/restful/_resource.py (+2/-1)
src/lazr/restful/docs/webservice.txt (+5/-1)
versions.cfg (+1/-1)
Changed in launchpad-foundations: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in lazr.restful: | |
importance: | Undecided → Critical |
assignee: | nobody → William Grant (wgrant) |
status: | New → In Progress |
Changed in lazr.restful: | |
status: | In Progress → Fix Committed |
Changed in lazr.restful: | |
status: | Fix Committed → Fix Released |
Changed in launchpad: | |
status: | In Progress → Fix Released |
Changed in lazr.restful: | |
milestone: | none → 0.18.1 |
Changed in launchpad: | |
milestone: | none → 11.05 |
lazr.restful's ResourceJSONEncoder should inherit from JSONEncoderForHTML, and most of LP's JSON encoding should probably use the webservice:json formatter.