bittersweet.templatetags.bittersweet_json module

bittersweet.templatetags.bittersweet_json.json(data)[source]

Safely JSON-encode an object

To protect against XSS attacks, HTML special characters (<, >, &) and unicode newlines are replaced by escaped unicode characters. Django does not escape these characters by default.

Output of this method is not marked as HTML safe. If you use it inside an HTML attribute, it must be escaped like regular data:

<div data-user="{{ data|json }}">

If you use it inside a <script> tag, then the output does not need to be escaped, so you can mark it as safe:

<script>
    var user = {{ data|json|safe }};
</script>

Escaped characters taken from Rails json_escape() helper: https://github.com/rails/rails/blob/v4.2.5/activesupport/lib/active_support/core_ext/string/output_safety.rb#L60-L113