Escape variables interpolated into <script> within index.html

Django's escapejs prevents breaking out with an embedded </script> tag. It only works on bare string contents, not JSON-ish lists and such. So we generate stream_list and people_list with template loops now. (imported from commit 07fe4bebaa3fa11bc479b4378b8989560ce77f6f)
2012-10-10 17:53:00 -04:00 · 2012-10-10 17:53:00 -04:00 · 7137787984
parent 4715d2144c
commit 7137787984
2 changed files with 20 additions and 6 deletions
--- a/templates/zephyr/index.html
+++ b/templates/zephyr/index.html
@ -43,11 +43,25 @@

 <script type="text/javascript">
 {% autoescape off %}
+
+{# Not escaped, because it's guaranteed by the model to be an integer. #}
 var initial_pointer = {{ user_profile.pointer }};
-var email = "{{ user_profile.user.email }}";
-var stream_list = {{ streams }};
-var people_list = {{ people }};
-var have_initial_messages = {{ have_initial_messages }};
+
+var email = "{{ user_profile.user.email|escapejs }}";
+var have_initial_messages = {{ have_initial_messages|escapejs }};
+
+var stream_list = [
+{% for stream in streams %}
+    "{{ stream|escapejs }}",
+{% endfor %}
+];
+
+var people_list = [
+{% for person in people %}
+    "{{ person|escapejs }}",
+{% endfor %}
+];
+
 {% endautoescape %}
 </script>
 {% endblock %}
--- a/zephyr/views.py
+++ b/zephyr/views.py
@ -173,8 +173,8 @@ def home(request):
    return render_to_response('zephyr/index.html',
                              {'user_profile': user_profile,
                               'email_hash'  : hashlib.md5(user_profile.user.email).hexdigest(),
-                               'people'      : simplejson.dumps(people),
-                               'streams'     : simplejson.dumps(streams),
+                               'people'      : people,
+                               'streams'     : streams,
                               'have_initial_messages':
                                   'true' if messages else 'false',
                               'show_debug':