Request: ?json_string, similar to ?js_string

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Request: ?json_string, similar to ?js_string

Eirik Lygre
Hi,

FreeMarker today comes with the built-in "?js_string", which escapes strings according to JavaScript rules. From the FreeMarker docs:

Escapes the string with the escaping rules of JavaScript language string literals, so it is safe to insert the value into a string literal. Both quotation mark (") and apostrophe-quoate (') are escaped. Starting from FreeMarker 2.3.1, it also escapes > as \> (to avoid </script>). Furthermore, all characters under UCS code point 0x20, that has no dedicated escape sequence in JavaScript language, will be replaced with hexadecimal escape (\xXX). (Of course, according the JavaScript language string literal syntax, backslash (\) will be escaped too, line-feed will be escaped as \n, ...etc.)

However, this is not valid json. In particular, the native JSON javascript object in newer browsers do not support all those escape characters. An example of problems can be found on stackoverflow:  http://stackoverflow.com/questions/2275359/jquery-single-quote-in-json-response 

In case a single-quote pops up, ?js_script will escape it which again leads to invalid JSON. The hotfix for it is: ${variable?js_string?replace("\'", "\'")} and if you really want to be picky: ${variable?js_string?replace("\'", "\'")?replace("\>",">")}

The formal grammar for legal json escapes are shown in the spec, at http://es5.github.com/#x15.12.1. The excerpt below shows legal escape characters (in additon, any character can be escaped using its numeric unicode sequence):

JSONEscapeCharacter :: one of
" / \ b f n r t

The questions, then, would be something like this:

a) Should FreeMarker support ?json_string, similar to js_string?
b) Is there interest in a patch, or is it better that those who know the code inside-out create it in the first place?

--
Eirik


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
FreeMarker-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freemarker-devel
Reply | Threaded
Open this post in threaded view
|

Re: Request: ?json_string, similar to ?js_string

Daniel Dekany
Tuesday, December 20, 2011, 11:45:50 AM, Eirik Lygre wrote:

> Hi,
>
> FreeMarker today comes with the built-in "?js_string", which
> escapes strings according to JavaScript rules. From the FreeMarker docs:
>
> Escapes the string with the escaping rules of JavaScript language
> string literals, so it is safe to insert the value into a string
> literal. Both quotation mark (") and apostrophe-quoate (') are
> escaped. Starting from FreeMarker 2.3.1, it also escapes > as \> (to
> avoid </script>). Furthermore, all characters under UCS code point
> 0x20, that has no dedicated escape sequence in JavaScript language,
> will be replaced with hexadecimal escape (\xXX). (Of course,
> according the JavaScript language string literal syntax, backslash
> (\) will be escaped too, line-feed will be escaped as \n, ...etc.)
>
> However, this is not valid json.

Because each languages has to have its own string escaping rules...

> In particular, the native JSON javascript object in newer browsers
> do not support all those escape characters. An example of problems
> can be found on stackoverflow:
> http://stackoverflow.com/questions/2275359/jquery-single-quote-in-json-response
>
> In case a single-quote pops up, ?js_script will escape it which
> again leads to invalid JSON. The hotfix for it is:
> ${variable?js_string?replace("\'", "\'")} and if you really want to
> be picky: ${variable?js_string?replace("\'", "\'")?replace("\>",">")}
>
> The formal grammar for legal json escapes are shown in the spec, at
> http://es5.github.com/#x15.12.1. The excerpt below shows legal
> escape characters (in additon, any character can be escaped using its numeric unicode sequence):
>
> JSONEscapeCharacter :: one of
> " / \ b f n r t
>
> The questions, then, would be something like this:
>
> a) Should FreeMarker support ?json_string, similar to js_string?

Sure. (Actually, someone earlier wanted to dump whole graphs of
FreeMarker variables into JSON... a not so trivial task.)

> b) Is there interest in a patch, or is it better that those who
> know the code inside-out create it in the first place?

The only problem with contributing this is that it needs
disproportional amount of bureaucracy on your side (signing +
physically posting CLA). Unless, you plan to do more contributions in
the future, of course. So I assume I have to add this to my TODO for
the next release.

--
Best regards,
 Daniel Dekany


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
FreeMarker-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freemarker-devel