tojson filter escapes <, >, & and '. To avoid javascript injection in HTML <script> tags and data-* attributes, Django and other (e.g. Odoo) seems escaping also \u2028 and \u2029 (treated as newlines by some javascript engines, which may allow an attacker to begin a new javascript instruction).
More info at https://code.djangoproject.com/ticket/17419#comment:27
See issue and commit in djangoproject.
tojson
filter escapes<
,>
,&
and'
. To avoid javascript injection in HTML<script>
tags anddata-*
attributes, Django and other (e.g. Odoo) seems escaping also\u2028
and\u2029
(treated as newlines by some javascript engines, which may allow an attacker to begin a new javascript instruction). More info at https://code.djangoproject.com/ticket/17419#comment:27 See issue and commit in djangoproject.Nowadays symbols are some more I think https://github.com/jonashaag/django/blob/master/django/utils/html.py#L54:
I saw only
htmlsafe_json_dumps
without knowing all Jinja codebase, however: sorry if already addressed or evaluated issue.Thanks, Pp