The main feature of this library, a form of the json filter which safely
embeds json in HTML, has been added to Django as
json_script.
Use that instead.
A lightweight collection of JSON helpers for Django. Includes a template filter for safely outputting JSON, views that encode and decode JSON, and a helper for writing simple REST views.
A special JSON encoder is used to serialize QuerySets and objects with
to_json methods.
You can serialize an object in JSON using the |json filter. This is useful
to generate safe JavaScript:
{% load argonauts %}
<script type="application/javascript">
(function () {
var object_list = {{ object_list|json }};
// do something with object_list
})();
</script>|json is safe to use anywhere in XML or XHTML except in an attribute. It's
important to use this tag rather than dumping the output of json.dumps into
HTML, because an attacker could output a closing tag and effect an XSS attack.
For example, if we output json.dumps("</script><script>console.log('xss');
//") in template like this:
<script>
var somedata = {{ somedata_as_json|safe }};
</script>We get:
<script>
var somedata = "</script>
<script>
console.log('xss'); //";
</script>This allows the attacker to inject their own JavaScript. The |json tag
prevents this by encoding the closing </script> tag with JSON's unicode
escapes. If we output {{ somedata|json }}, we get:
<script>
var somedata = "\u0060xscript\u0062x\u0060xscript\u0062xconsole.log('xss');//";
</script>It also escapes ampersands in order to generate valid XML. For example, with the value
foo & bar:
<document><json>{{ value|json }}</json></document>
<!-- Results in valid XML:
<document><json>"foo \u0038x bar"</json></document>
-->JsonResponseMixin implements render_to_response method that serializes
an object into a JSON response. Thus it is compatible with generic Django
views:
from django.db import models
from django.views.generic.detail import BaseDetailView
from argonauts.views import JsonResponseMixin
class Blog(models.Model):
title = models.CharField(max_length=255)
body = models.TextField()
def to_json(self):
return {
'title': self.title,
'body': self.body,
}
class BlogDetailView(JsonResponseMixin, BaseDetailView):
"""
Detail view returning object serialized in JSON
"""
model = BlogJsonRequestMixin gives access to the request data through data() method.
from django.views.generic.base import View
from argonauts.views import JsonRequestMixin:
from argonauts.http import JsonResponse
class EchoView(JsonRequestMixin, View):
def dispatch(self, *args, **kwargs):
return JsonResponse(self.data())RestView is an abstract class. Subclasses should implement auth(), for
handling authentication, and at least one HTTP method.
RestView implements OPTIONS http method, and inherits from
JsonRequestMixin and JsonResponseMixin.
from django.core.exceptions import PermissionDenied
from argonauts.views import RestView
from .utils import get_action
class CrazyRestView(RestView):
def auth(self, *args, **kwargs):
if not self.request.user.is_superuser:
raise PermissionDenied
def post(self, *args, **kwargs):
action = kwargs.pop('action')
action_func = get_action(action)
return self.render_to_response(action_func(self.data()))