test for json sanitization

Author: alexcjohnson

Diff for: packages/python/plotly/plotly/io/_json.py

@@ -57,16 +57,18 @@ def coerce_to_strict(const):
         return const
 
 
-_swap = (
+_swap_json = (
     ("<", "\\u003c"),
     (">", "\\u003e"),
     ("/", "\\u002f"),
+)
+_swap_orjson = _swap_json + (
     ("\u2028", "\\u2028"),
     ("\u2029", "\\u2029"),
 )
 
 
-def _safe(json_str):
+def _safe(json_str, _swap):
     out = json_str
     for unsafe_char, safe_char in _swap:
         if unsafe_char in out:
@@ -137,7 +139,9 @@ def to_json_plotly(plotly_object, pretty=False, engine=None):
 
         from _plotly_utils.utils import PlotlyJSONEncoder
 
-        return _safe(json.dumps(plotly_object, cls=PlotlyJSONEncoder, **opts))
+        return _safe(
+            json.dumps(plotly_object, cls=PlotlyJSONEncoder, **opts), _swap_json
+        )
     elif engine == "orjson":
         JsonConfig.validate_orjson()
         opts = orjson.OPT_NON_STR_KEYS | orjson.OPT_SERIALIZE_NUMPY
@@ -153,7 +157,9 @@ def to_json_plotly(plotly_object, pretty=False, engine=None):
 
         # Try without cleaning
         try:
-            return _safe(orjson.dumps(plotly_object, option=opts).decode("utf8"))
+            return _safe(
+                orjson.dumps(plotly_object, option=opts).decode("utf8"), _swap_orjson
+            )
         except TypeError:
             pass
 
@@ -163,7 +169,7 @@ def to_json_plotly(plotly_object, pretty=False, engine=None):
             datetime_allowed=True,
             modules=modules,
         )
-        return _safe(orjson.dumps(cleaned, option=opts).decode("utf8"))
+        return _safe(orjson.dumps(cleaned, option=opts).decode("utf8"), _swap_orjson)
 
 
 def to_json(fig, validate=True, pretty=False, remove_uids=True, engine=None):

Diff for: packages/python/plotly/plotly/tests/test_io/test_to_from_plotly_json.py

@@ -221,3 +221,25 @@ def test_mixed_string_nonstring_key(engine, pretty):
     value = build_test_dict({0: 1, "a": 2})
     result = pio.to_json_plotly(value, engine=engine)
     check_roundtrip(result, engine=engine, pretty=pretty)
+
+
+def test_sanitize_json(engine):
+    layout = {"title": {"text": "</script>\u2028\u2029"}}
+    fig = go.Figure(layout=layout)
+    fig_json = pio.to_json_plotly(fig, engine=engine)
+    layout_2 = json.loads(fig_json)["layout"]
+    del layout_2["template"]
+
+    assert layout == layout_2
+
+    replacements = {
+        "<": "\\u003c",
+        ">": "\\u003e",
+        "/": "\\u002f",
+        "\u2028": "\\u2028",
+        "\u2029": "\\u2029",
+    }
+
+    for bad, good in replacements.items():
+        assert bad not in fig_json
+        assert good in fig_json

Diff for: packages/python/plotly/test_requirements/requirements_37_optional.txt

@@ -19,3 +19,4 @@ matplotlib==2.2.3
 scikit-image==0.14.4
 psutil==5.7.0
 kaleido
+orjson==3.8.12

Diff for: packages/python/plotly/test_requirements/requirements_39_optional.txt

@@ -19,3 +19,4 @@ matplotlib==2.2.3
 scikit-image==0.18.1
 psutil==5.7.0
 kaleido
+orjson==3.8.12