3.7.8 Add json_for_script function to remove unicode data and escape HTML and XML

cruz-evan · cruz-evan · commit 349218db5357 · 2019-06-11T15:21:57.000-03:00
-Similar implementation to Django 2.1 function json_script
-Fixes the problem where the upload button would not appear if the list had unicode data inside
diff --git a/filebrowser/templatetags/fb_tags.py b/filebrowser/templatetags/fb_tags.py
@@ -8,7 +8,7 @@
 from django.utils.safestring import mark_safe
 
 from filebrowser.settings import EXTENSIONS, SELECT_FORMATS
-
+from filebrowser.utils import json_for_script
 
 register = template.Library()
 
@@ -155,7 +155,7 @@ def get_file_extensions(qs):
             for item in v:
                 if item:
                     extensions.append(item)
-    return mark_safe(extensions)
+    return json_for_script(extensions)
 
 
 # Django 1.9 auto escapes simple_tag unless marked as safe
diff --git a/filebrowser/utils.py b/filebrowser/utils.py
@@ -4,9 +4,15 @@
 import os
 import unicodedata
 import math
+import json
 
+from six import iteritems
+
+from django.core.serializers.json import DjangoJSONEncoder
 from django.utils import six
 from django.utils.module_loading import import_string
+from django.utils.html import format_html
+from django.utils.safestring import mark_safe
 
 from filebrowser.settings import STRICT_PIL, NORMALIZE_FILENAME, CONVERT_FILENAME
 from filebrowser.settings import VERSION_PROCESSORS
@@ -19,6 +25,32 @@
     except ImportError:
         import Image
 
+_json_script_escapes = (
+    ('>', '\\u003E'),
+    ('<', '\\u003C'),
+    ('&', '\\u0026'),
+)
+
+
+def json_for_script(value, encoder=DjangoJSONEncoder):
+    """
+    Implementation of json_script from Django 2.1
+    https://github.com/django/django/commit/8c709d79cbd1a7bb975f58090c17a1178a0efb80
+
+    If get_file_extensions is a list of unicode characters, JavaScript is unable to handle it and it will break upload.html
+    This will convert a list of unicode characters into a regular list, mark it safe, and will escape allthe HTML/XML special
+    characters with their unicode escapes
+    """
+    json_str = json.dumps(value, cls=encoder)
+
+    for bad_char, html_entity in _json_script_escapes:
+        json_str = json_str.replace(bad_char, html_entity)
+
+    return format_html(
+        '{}',
+        mark_safe(json_str)
+    )
+
 
 def convert_filename(value):
     """
