json.dumps(): escaping forward slashes
Solution 1
Only escape forward slashes when encode_html_chars=True
Check out this- https://github.com/esnme/ultrajson/pull/114
The JSON spec says forward slashes shall be escaped implicitly.
Here is a solution to do it in JSONEncoder itself. Its just that you create an ESCAPE DICTIONARY and do computation before hand and do the encoding later.
Hope it helps.
-
Adding to the above solution, there is another reason to escape the characters. As kay said, it gives us some extra sleep. It prevents the attack. So the solution above takes care of all issues.
ESCAPE_DCT = {
# escape all forward slashes to prevent </script> attack
'/': '\\/',
'\\': '\\\\',
'"': '\\"',
'\b': '\\b',
'\f': '\\f',
'\n': '\\n',
'\r': '\\r',
'\t': '\\t',
}
Solution 2
Use escape_forward_slashes as per ujson doc,
escape_forward_slashes Controls whether forward slashes (/) are escaped. Default is True:
>>> ujson.dumps("http://esn.me")
'"http:\/\/esn.me"'
>>> ujson.dumps("http://esn.me", escape_forward_slashes=False)
'"http://esn.me"'
See here.
kay
Working at my alma mater, where I studied CS in order to aid the forces of light, and thwart the forces of darkness. I'm fluent in Python, C++, C, Cython, JavaScript, CSS, HTML, (and Java if I have to). At one point I knew Haskell, Pascal, Erlang, Prolog, Matlab, but forgot most about it.
Updated on July 19, 2022Comments
-
kay almost 2 years
Since forward slashes can only occur in strings inside a JSON serialized object and are not escaped (in the default settings), using
json.dump(some_dict).replace('/', r'\/')reliably works, but it looks hacky.
I know that forward slashes don't have to be escaped, but you may escape them, and for my usecase I'd like to have them escaped.
Is there a way to to let the JSONEncoder escape forward slashes without manually escaping them?
-
kay over 9 yearsThank you very much! I'll use UltraJSON.
-
bozzmob over 9 yearsMy pleasure Kay. Can my answer be marked as solution if it helped you?