From b65fce659502ac5e211d13fbd5435e1ff6c703d2 Mon Sep 17 00:00:00 2001
From: Jacob Kaplan-Moss <jacob@jacobian.org>
Date: Tue, 4 Dec 2007 21:08:29 +0000
Subject: [PATCH] Fixed #4131: added an "escapejs" filter for use in JavaScript
 strings, and updated the documentation on addslashes to point to the new
 ticket. Featuring contributions from Ned Batchelder, Jeremy Dunck, and Andy
 Durdin.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@6892 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/template/defaultfilters.py             | 25 ++++++++++++++++++-
 docs/templates.txt                            | 13 +++++++++-
 tests/regressiontests/defaultfilters/tests.py | 12 +++++++++
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
index ac92bef6cf..9514c92d50 100644
--- a/django/template/defaultfilters.py
+++ b/django/template/defaultfilters.py
@@ -43,7 +43,11 @@ def stringfilter(func):
 
 
 def addslashes(value):
-    """Adds slashes - useful for passing strings to JavaScript, for example."""
+    """
+    Adds slashes before quotes. Useful for escaping strings in CSV, for
+    example. Less useful for escaping JavaScript; use the ``escapejs``
+    filter instead.
+    """
     return value.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'")
 addslashes.is_safe = True
 addslashes = stringfilter(addslashes)
@@ -54,6 +58,25 @@ def capfirst(value):
 capfirst.is_safe=True
 capfirst = stringfilter(capfirst)
 
+_js_escapes = (
+    ('\\', '\\\\'),
+    ('"', '\\"'),
+    ("'", "\\'"),
+    ('\n', '\\n'),
+    ('\r', '\\r'),
+    ('\b', '\\b'),
+    ('\f', '\\f'),
+    ('\t', '\\t'),
+    ('\v', '\\v'),
+    ('</', '<\\/'),
+)
+def escapejs(value):
+    """Backslash-escapes characters for use in JavaScript strings."""
+    for bad, good in _js_escapes:
+        value = value.replace(bad, good)
+    return value
+escapejs = stringfilter(escapejs)
+
 def fix_ampersands(value):
     """Replaces ampersands with ``&amp;`` entities."""
     from django.utils.html import fix_ampersands
diff --git a/docs/templates.txt b/docs/templates.txt
index e91d1b3e4c..3b38caf58b 100644
--- a/docs/templates.txt
+++ b/docs/templates.txt
@@ -1227,8 +1227,10 @@ Adds the arg to the value.
 addslashes
 ~~~~~~~~~~
 
-Adds slashes. Useful for passing strings to JavaScript, for example.
+Adds slashes before quotes. Useful for escaping strings in CSV, for example.
 
+**New in Django development version**: for escaping data in JavaScript strings,
+use the `escapejs` filter instead.
 
 capfirst
 ~~~~~~~~
@@ -1302,6 +1304,15 @@ applied to the result will only result in one round of escaping being done. So
 it is safe to use this function even in auto-escaping environments. If you want
 multiple escaping passes to be applied, use the ``force_escape`` filter.
 
+escapejs
+~~~~~~~~
+
+**New in Django development version**
+
+Escapes characters for use in JavaScript strings. This does *not* make the
+string safe for use in HTML, but does protect you from syntax errors when using
+templates to generate JavaScript/JSON.
+
 filesizeformat
 ~~~~~~~~~~~~~~
 
diff --git a/tests/regressiontests/defaultfilters/tests.py b/tests/regressiontests/defaultfilters/tests.py
index bfa03cd6e1..668ecb9d5a 100644
--- a/tests/regressiontests/defaultfilters/tests.py
+++ b/tests/regressiontests/defaultfilters/tests.py
@@ -49,6 +49,18 @@ u'\\\\ : backslashes, too'
 >>> capfirst(u'hello world')
 u'Hello world'
 
+>>> escapejs(u'"double quotes" and \'single quotes\'')
+u'\\"double quotes\\" and \\\'single quotes\\\''
+
+>>> escapejs(ur'\ : backslashes, too')
+u'\\\\ : backslashes, too'
+
+>>> escapejs(u'and lots of whitespace: \r\n\t\v\f\b')
+u'and lots of whitespace: \\r\\n\\t\\v\\f\\b'
+
+>>> escapejs(ur'<script>and this</script>')
+u'<script>and this<\\/script>'
+
 >>> fix_ampersands(u'Jack & Jill & Jeroboam')
 u'Jack &amp; Jill &amp; Jeroboam'