Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
關註 1
收藏 0
Wiki 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
分支: master
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/gooderp18/server/odoo/tools/json.py

74 line
2.5KB
原始文件 永久連結 Blame 文件歷史 

  1. # -*- coding: utf-8 -*-

  2. from datetime import date, datetime

  3. import json as json_

  4. import re

  5. 

  6. import markupsafe

  7. from .func import lazy

  8. from .misc import ReadonlyDict

  9. 

  10. JSON_SCRIPTSAFE_MAPPER = {

  11.     '&': r'\u0026',

  12.     '<': r'\u003c',

  13.     '>': r'\u003e',

  14.     '\u2028': r'\u2028',

  15.     '\u2029': r'\u2029'

  16. }

  17. class _ScriptSafe(str):

  18.     def __html__(self):

  19.         # replacement can be done straight in the serialised JSON as the

  20.         # problematic characters are not JSON metacharacters (and can thus

  21.         # only occur in strings)

  22.         return markupsafe.Markup(re.sub(

  23.             r'[<>&\u2028\u2029]',

  24.             lambda m: JSON_SCRIPTSAFE_MAPPER[m[0]],

  25.             self,

  26.         ))

  27. class JSON:

  28.     def loads(self, *args, **kwargs):

  29.         return json_.loads(*args, **kwargs)

  30.     def dumps(self, *args, **kwargs):

  31.         """ JSON used as JS in HTML (script tags) is problematic: <script>

  32.         tags are a special context which only waits for </script> but doesn't

  33.         interpret anything else, this means standard htmlescaping does not

  34.         work (it breaks double quotes, and e.g. `<` will become `&lt;` *in

  35.         the resulting JSON/JS* not just inside the page).

  36. 

  37.         However, failing to escape embedded json means the json strings could

  38.         contains `</script>` and thus become XSS vector.

  39. 

  40.         The solution turns out to be very simple: use JSON-level unicode

  41.         escapes for HTML-unsafe characters (e.g. "<" -> "\u003C". This removes

  42.         the XSS issue without breaking the json, and there is no difference to

  43.         the end result once it's been parsed back from JSON. So it will work

  44.         properly even for HTML attributes or raw text.

  45. 

  46.         Also handle U+2028 and U+2029 the same way just in case as these are

  47.         interpreted as newlines in javascript but not in JSON, which could

  48.         lead to oddities and issues.

  49. 

  50.         .. warning::

  51. 

  52.             except inside <script> elements, this should be escaped following

  53.             the normal rules of the containing format

  54. 

  55.         Cf https://code.djangoproject.com/ticket/17419#comment:27

  56.         """

  57.         return _ScriptSafe(json_.dumps(*args, **kwargs))

  58. scriptsafe = JSON()

  59. 

  60. 

  61. def json_default(obj):

  62.     from odoo import fields  # noqa: PLC0415

  63.     if isinstance(obj, datetime):

  64.         return fields.Datetime.to_string(obj)

  65.     if isinstance(obj, date):

  66.         return fields.Date.to_string(obj)

  67.     if isinstance(obj, lazy):

  68.         return obj._value

  69.     if isinstance(obj, ReadonlyDict):

  70.         return dict(obj)

  71.     if isinstance(obj, bytes):

  72.         return obj.decode()

  73.     return str(obj)
上海开阖软件有限公司 沪ICP备12045867号-1