Best practice for passing JSON objects to a template
6,914 views
Skip to first unread message
Eric Plumb
Apr 9, 2015, 1:50:50 PM4/9/15
to django...@googlegroups.com
Hi Djangoers!
Sometimes in the course of human events it becomes necessary to encode a JSON object directly into a template. We all prefer AJAX and REST APIs and the rest of the TOFLAs, but in the cases where it has to be part of the template, I'm wondering if there's an accepted canonical best-practice way to do so and remain safe from XSS attacks and other nastiness.
I'm aware of the following two methods:
1. HTML attribute loaded by jQuery's $.data()
# view
return { ... {'my_obj': mark_safe(escape(json.dumps(obj))) } ... }
# template
<div data-my-object={{ my_obj }}>...</div>
# JS
var myObj = $('div').data('my-object'); // implicitly calls JSON.parse() on the encoded object
2. Explicitly parsed JS object
# view
return { ... {'my_obj': mark_safe(escapejs(json.dumps(obj))) } ... }
# template
<script>
var myObj = JSON.parse('{{ my_obj }}')
</script>
Are there better methods? It seems like this ought to come up often in building safe websites, but I don't see a consensus out there on the Web. Thanks in advance for your consideration!
Eric
Ilya Kazakevich
Apr 22, 2015, 1:11:05 PM4/22/15
to django...@googlegroups.com
What about putting it into <script type="application/json">?
Mario Gudelj
Apr 23, 2015, 12:14:16 AM4/23/15
to django...@googlegroups.com
I often use method 2. I don't see a problem with it.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9d6666e1-d8c9-41a3-b86e-64e675c1eddf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
florent...@u-dox.com
Apr 24, 2015, 3:06:51 AM4/24/15
to django...@googlegroups.com
I guess both methods are valid.
Method one could be useful if it makes sense to have a data attribute.
Although, if it makes sense to have a data attribute filled up with JSON, and if the json is simple enough, then you can surely convert the json file to "data-" element (for exemple, {"name" : "yo", "city" : "lo"} becomes 'data-name = "yo" data-city = "lo"')
Also, if your concern is security (and also cleanliness of the code), you can also encode the JSON in base64 to avoid people reading too easily the data of the json file.
But methode 2 seem to make sense in most of the cases I can think of!
Plus it is far more simple ! :)
Cheers,
Florent
Method one could be useful if it makes sense to have a data attribute.
Although, if it makes sense to have a data attribute filled up with JSON, and if the json is simple enough, then you can surely convert the json file to "data-" element (for exemple, {"name" : "yo", "city" : "lo"} becomes 'data-name = "yo" data-city = "lo"')
Also, if your concern is security (and also cleanliness of the code), you can also encode the JSON in base64 to avoid people reading too easily the data of the json file.
But methode 2 seem to make sense in most of the cases I can think of!
Plus it is far more simple ! :)
Cheers,
Florent
Piper Merriam
Apr 24, 2015, 10:39:54 AM4/24/15
to django...@googlegroups.com
Look at django-argonauts
https://github.com/fusionbox/django-argonauts
It provides a nice (safe) template tag you can use to filter json serializable python objects into safe javascript objects.
https://github.com/fusionbox/django-argonauts
It provides a nice (safe) template tag you can use to filter json serializable python objects into safe javascript objects.
Reply all
Reply to author
Forward
0 new messages