Escape variables interpolated into <script> within index.html

Django's escapejs prevents breaking out with an embedded </script> tag.

It only works on bare string contents, not JSON-ish lists and such.  So we
generate stream_list and people_list with template loops now.

(imported from commit 07fe4bebaa3fa11bc479b4378b8989560ce77f6f)
This commit is contained in:
Keegan McAllister 2012-10-10 17:53:00 -04:00
parent 4715d2144c
commit 7137787984
2 changed files with 20 additions and 6 deletions

View File

@ -43,11 +43,25 @@
<script type="text/javascript">
{% autoescape off %}
{# Not escaped, because it's guaranteed by the model to be an integer. #}
var initial_pointer = {{ user_profile.pointer }};
var email = "{{ user_profile.user.email }}";
var stream_list = {{ streams }};
var people_list = {{ people }};
var have_initial_messages = {{ have_initial_messages }};
var email = "{{ user_profile.user.email|escapejs }}";
var have_initial_messages = {{ have_initial_messages|escapejs }};
var stream_list = [
{% for stream in streams %}
"{{ stream|escapejs }}",
{% endfor %}
];
var people_list = [
{% for person in people %}
"{{ person|escapejs }}",
{% endfor %}
];
{% endautoescape %}
</script>
{% endblock %}

View File

@ -173,8 +173,8 @@ def home(request):
return render_to_response('zephyr/index.html',
{'user_profile': user_profile,
'email_hash' : hashlib.md5(user_profile.user.email).hexdigest(),
'people' : simplejson.dumps(people),
'streams' : simplejson.dumps(streams),
'people' : people,
'streams' : streams,
'have_initial_messages':
'true' if messages else 'false',
'show_debug':