Merge branch '0.10-maintenance'

mitsuhiko · mitsuhiko · commit 63d9ede451cd · 2013-06-14T00:05:55.000+01:00
diff --git a/CHANGES b/CHANGES
@@ -8,6 +8,11 @@ Version 0.10.1
 
 Pending bugfix release.
 
+- Fixed an issue where ``|tojson`` was not quoting single quotes which
+  made the filter not work properly in HTML attributes.  Now it's
+  possible to use that filter in single quoted attributes.  This should
+  make using that filter with angular.js easier.
+
 Version 0.10
 ------------
 
diff --git a/flask/json.py b/flask/json.py
@@ -165,14 +165,29 @@ def htmlsafe_dumps(obj, **kwargs):
     also mark the result as safe.  Due to how this function escapes certain
     characters this is safe even if used outside of ``<script>`` tags.
 
+    The following characters are escaped in strings:
+
+    -   ``<``
+    -   ``>``
+    -   ``&``
+    -   ``'``
+
+    This makes it safe to embed such strings in any place in HTML with the
+    notable exception of double quoted attributes.  In that case single
+    quote your attributes or HTML escape it in addition.
+
     .. versionchanged:: 0.10
        This function's return value is now always safe for HTML usage, even
-       if outside of script tags or if used in XHTML.
+       if outside of script tags or if used in XHTML.  This rule does not
+       hold true when using this function in HTML attributes that are double
+       quoted.  Always single quote attributes if you use the ``|tojson``
+       filter.  Alternatively use ``|tojson|forceescape``.
     """
     rv = dumps(obj, **kwargs) \
         .replace(u'<', u'\\u003c') \
         .replace(u'>', u'\\u003e') \
-        .replace(u'&', u'\\u0026')
+        .replace(u'&', u'\\u0026') \
+        .replace(u"'", u'\\u0027')
     if not _slash_escape:
         rv = rv.replace('\\/', '/')
     return rv
diff --git a/flask/testsuite/helpers.py b/flask/testsuite/helpers.py
@@ -104,6 +104,12 @@ def test_template_escaping(self):
             self.assert_equal(rv, '"\\u003c!--\\u003cscript\\u003e"')
             rv = render('{{ "&"|tojson }}')
             self.assert_equal(rv, '"\\u0026"')
+            rv = render('{{ "\'"|tojson }}')
+            self.assert_equal(rv, '"\\u0027"')
+            rv = render("<a ng-data='{{ data|tojson }}'></a>",
+                data={'x': ["foo", "bar", "baz'"]})
+            self.assert_equal(rv,
+                '<a ng-data=\'{"x": ["foo", "bar", "baz\\u0027"]}\'></a>')
 
     def test_json_customization(self):
         class X(object):
