Safely outputting JSON

Carelessly including the output of json.dumps() in an HTML page can lead to an XSS hole, thanks to the following:

>>> import json
>>> s = "</script><script>alert(document.location)</script>"
>>> print(json.dumps({"bad": s}))
{"bad": "</script><script>alert(document.location)</script>"}

Jinja has a function that avoids this in jinja2.utils.htmlsafe_json_dumps() - the (simplified) implementation looks like this:

def htmlsafe_json_dumps(obj):
    return (
        json.dumps(obj)
        .replace("<", "\\u003c")
        .replace(">", "\\u003e")
        .replace("&", "\\u0026")
        .replace("'", "\\u0027")
    )

Which outputs like this:

>>> print(htmlsafe_json_dumps({"bad": s}))
{"bad": "\u003c/script\u003e\u003cscript\u003ealert(document.location)\u003c/script\u003e"}

Related

• django Pretty-printing all read-only JSON in the Django admin - 2021-03-07
• jinja Turning on Jinja autoescaping when using Template() directly - 2020-09-18
• python Outputting JSON with reduced floating point precision - 2020-08-21
• markdown Useful Markdown extensions in Python - 2021-04-03
• deno Running Python code in a Pyodide sandbox via Deno - 2023-05-10
• jupyter Embedding JavaScript in a Jupyter notebook - 2021-01-22
• python Streaming indented output of a JSON array - 2022-01-17
• observable Using jq in an Observable notebook - 2023-03-25
• github Syntax highlighting Python console examples with GFM - 2021-01-18
• json Processing a stream of chunks of JSON with ijson - 2023-08-15

Created 2021-12-17T17:06:10-08:00 · Edit