7

The source for the flask.json module contains the following line. What does '\\/' mean, and why is Flask checking this?

_slash_escape = '\\/' not in _json.dumps('/')
davidism
  • 121,510
  • 29
  • 395
  • 339
Rolex
  • 175
  • 1
  • 1
  • 7
  • 1
    I am almost positive it is testing that json.dumps returns the forward-slash '/' escaped as '\/'. It also may be testing that encode_html_chars = True. This may help: http://stackoverflow.com/a/27129934/5041537 – Kyle Shrader Aug 07 '15 at 17:10
  • 1
    Could you link to the code in question? – YPCrumble Aug 07 '15 at 17:12
  • What version of Flask is this from? I searched their git repo for this string and they now appear to set `json_available = True` in their \_\_init__ for "backwards compatibility", so I think this test is no longer relevant. – Two-Bit Alchemist Aug 07 '15 at 17:24

2 Answers2

8

Flask is using this to test if the JSON library it's using escapes slashes when it doesn't have to. If the library does, then json.dump('/') will produce '"\\/"' (equivalent to the raw string r'"\/"', see here for an explanation on escape characters).

Flask can choose one of multiple JSON libraries, and some libraries/versions escape forward slashes while others don't. Flask includes a comment explaining this.

If the library does escape slashes, Flask will undo this when it dumps the JSON, for consistency between libraries.

# figure out if simplejson escapes slashes.  This behavior was changed
# from one version to another without reason.
_slash_escape = '\\/' not in _json.dumps('/')
...
def htmlsafe_dumps(obj, **kwargs):
    ...
    if not _slash_escape:
        rv = rv.replace('\\/', '/')
    ...

Flask still escapes unsafe HTML characters when rendering the JSON in HTML, so the potentially unsafe string "</script>" becomes "\\u003c/script\\u003e" which is safe.

Community
  • 1
  • 1
davidism
  • 121,510
  • 29
  • 395
  • 339
5

Backslash (\) is the escape character. In several programming languages, it means to treat the next character as a literal whatever, instead of letting it perform its normal function (example: put a literal quote instead of treating it as an end quote).

Two backslashes (\\) means a literal backslash. As in, don't perform the escaping function.

So an escaped slash in JSON is \/, but to detect that Python has to use \\/ or else it will treat the backslash as an escape.

As an aside, this is why Python offers so-called "raw string literals" prefixed by r'', so that you don't have to write \\ to get a literal backslash.

Credit to davidism for discovering the specific reason Flask does this before I could. See this answer explaining that in more detail.

Community
  • 1
  • 1
Two-Bit Alchemist
  • 17,966
  • 6
  • 47
  • 82
  • What is the meaning behind testing this? – Kyle Shrader Aug 07 '15 at 17:13
  • @KyleShrader It's a way to test if the string of JSON contains an escaped forward slash (`\/`), a literal backslash followed by a forward slash. See also: https://stackoverflow.com/questions/1580647/json-why-are-forward-slashes-escaped – Two-Bit Alchemist Aug 07 '15 at 17:15