The source for the flask.json
module contains the following line. What does '\\/'
mean, and why is Flask checking this?
_slash_escape = '\\/' not in _json.dumps('/')
loads() takes in a string and returns a json object. json. dumps() takes in a json object and returns a string.
The dump() method is used when the Python objects have to be stored in a file. The dumps() is used when the objects are required to be in string format and is used for parsing, printing, etc, . The dump() needs the json file name in which the output has to be stored as an argument.
json loads -> returns an object from a string representing a json object. json dumps -> returns a string representing a json object from an object. load and dump -> read/write from/to file instead of string.
json. dumps() function will convert a subset of Python objects into a json string. Not all objects are convertible and you may need to create a dictionary of data you wish to expose before serializing to JSON.
Flask is using this to test if the JSON library it's using escapes slashes when it doesn't have to. If the library does, then json.dump('/')
will produce '"\\/"'
(equivalent to the raw string r'"\/"'
, see here for an explanation on escape characters).
Flask can choose one of multiple JSON libraries, and some libraries/versions escape forward slashes while others don't. Flask includes a comment explaining this.
If the library does escape slashes, Flask will undo this when it dumps the JSON, for consistency between libraries.
# figure out if simplejson escapes slashes. This behavior was changed
# from one version to another without reason.
_slash_escape = '\\/' not in _json.dumps('/')
...
def htmlsafe_dumps(obj, **kwargs):
...
if not _slash_escape:
rv = rv.replace('\\/', '/')
...
Flask still escapes unsafe HTML characters when rendering the JSON in HTML, so the potentially unsafe string "</script>"
becomes "\\u003c/script\\u003e"
which is safe.
Backslash (\
) is the escape character. In several programming languages, it means to treat the next character as a literal whatever, instead of letting it perform its normal function (example: put a literal quote instead of treating it as an end quote).
Two backslashes (\\
) means a literal backslash. As in, don't perform the escaping function.
So an escaped slash in JSON is \/
, but to detect that Python has to use \\/
or else it will treat the backslash as an escape.
As an aside, this is why Python offers so-called "raw string literals" prefixed by r''
, so that you don't have to write \\
to get a literal backslash.
Credit to davidism for discovering the specific reason Flask does this before I could. See this answer explaining that in more detail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With