json.dumps(): escaping forward slashes

Question

Since forward slashes can only occur in strings inside a JSON serialized object and are not escaped (in the default settings), using

json.dump(some_dict).replace('/', r'\/')

reliably works, but it looks hacky.

I know that forward slashes don't have to be escaped, but you may escape them, and for my usecase I'd like to have them escaped.

Is there a way to to let the JSONEncoder escape forward slashes without manually escaping them?

Why do you need to escape them? What use case requires escaping? Any reasonable JSON decoder should be able to handle unescaped forward slashes. — Kevin, Nov 25 '14 at 14:49
escaping forward slashes is not required in json, so there's no reason to expect a json encoder to support escaping slashes (or any other arbitrary character). — Marc B, Nov 25 '14 at 14:51
`dumps('') == '""'`. I have not encountered any problems with that , but I would sleep better if `dumps('') == '"<\\/script>"'`. :-) I would not call the forward slash an "arbitrary character". It's one of the six ASCII characters which have an escape code though you don't have to escape them. — Kijewski, Nov 25 '14 at 14:59

score 10 · Accepted Answer · edited Oct 08 '18 at 21:19

Only escape forward slashes when encode_html_chars=True

Check out this- https://github.com/esnme/ultrajson/pull/114

The JSON spec says forward slashes shall be escaped implicitly.

Here is a solution to do it in JSONEncoder itself. Its just that you create an ESCAPE DICTIONARY and do computation before hand and do the encoding later.

https://chromium.googlesource.com/external/googleappengine/python/+/dc33addea2da464ca07e869cb11832e1ae82da9d/lib/django/django/utils/simplejson/encoder.py

Hope it helps.

-

Adding to the above solution, there is another reason to escape the characters. As kay said, it gives us some extra sleep. It prevents the attack. So the solution above takes care of all issues.

ESCAPE_DCT = {
    # escape all forward slashes to prevent </script> attack
    '/': '\\/',
    '\\': '\\\\',
    '"': '\\"',
    '\b': '\\b',
    '\f': '\\f',
    '\n': '\\n',
    '\r': '\\r',
    '\t': '\\t',
}

My pleasure Kay. Can my answer be marked as solution if it helped you? — bozzmob, Nov 25 '14 at 15:09

score 5 · Answer 2 · edited Jan 05 '22 at 05:42

5

Use escape_forward_slashes as per ujson doc,

escape_forward_slashes Controls whether forward slashes (/) are escaped. Default is True:

>>> ujson.dumps("http://esn.me")
'"http:\/\/esn.me"'
>>> ujson.dumps("http://esn.me", escape_forward_slashes=False)
'"http://esn.me"'

See here.

edited Jan 05 '22 at 05:42

Maximilian Machedon

95
9

answered Oct 23 '18 at 16:00

radtek

34,210
11
144
111

json.dumps(): escaping forward slashes

2 Answers2

Linked

Related