@@ -9,4 +9,6 @@ register = template.Library()
@register.filter
def as_json(value):
- return mark_safe(json.dumps(value))
+ json_dump = json.dumps(value)
+ # fixes XSS as described in #651
+ return mark_safe(json_dump.replace('<', r'\u003C'))
Rafał Pitoń