Could you have a hybrid that took this:
{% json data id="initial-data" var="variable_name" %}
And did this:
{"foo": "bar"}
var totally_random_uuid = document.getElementById('initial-data');
var variable_name = JSON.parse(totally_random_uuid.textContent ||
totally_
Thanks Chris. Yes, I do share your feeling that the declare-a-global-var
way of doing things is bit icky. My reason for wanting to support it was
that in order to use the "proper" method you need to be able to parse JSON
and that means that if you want to support older browsers you've now got a
dep
I like the idea, I've been using a custom script that does the first mode
of this tag nearly exactly the same way (with the same security escaping).
Not the biggest fan of the second mode of operation since like you say,
it's not compatible with strict CSP. Why not just encourage people to do it
Thanks. This is a good example of the problem actually as that library is
vulnerable to XSS. If someone can get the string "]]>" into the
JSON they break out of the CDATA block and the script element and can then
execute arbitrary code.
On Wednesday, 14 May 2014 14:57:06 UTC+1, Michael Mior wro
I've used django-jsonify (https://pypi.python.org/pypi/django-jsonify/) in
the the past for this successfully. I'm not certain of the security of the
code since unfortunately I didn't have the time to do a proper audit, but
it seemed to handle some common cases.
--
Michael Mior
On Tuesday, May
There was some discussion previously (see
https://code.djangoproject.com/ticket/17419) of adding a JSON encoding
filter to Django. This was rejected as being impossible (or very difficult)
to do securely. However the requirement to embed JSON in an HTML page is
quite a common one, and it's easy
