From e3a981fc2c58e9603445822bf73d7fe0b22a0f3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonel=20C=C3=A2mara?= <leonelcamara@gmail.com>
Date: Thu, 2 May 2019 16:09:10 +0100
Subject: [PATCH 1/2] Fixes #2182 possibly Fixes #2190

---
 gluon/serializers.py | 44 +++++++++++++++++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/gluon/serializers.py b/gluon/serializers.py
index 440b8657..a72bc216 100644
--- a/gluon/serializers.py
+++ b/gluon/serializers.py
@@ -119,13 +119,43 @@ def xml(value, encoding='UTF-8', key='document', quote=True):
     return ('<?xml version="1.0" encoding="%s"?>' % encoding) + str(xml_rec(value, key, quote))
 
 
-def json(value, default=custom_json, indent=None, sort_keys=False):
-    value = json_parser.dumps(value, default=default, sort_keys=sort_keys, indent=indent)
-    # replace JavaScript incompatible spacing
-    # http://timelessrepo.com/json-isnt-a-javascript-subset
-    # PY3 FIXME
-    # return value.replace(ur'\u2028', '\\u2028').replace(ur'\2029', '\\u2029')
-    return value
+class JSONEncoderForHTML(json_parser.JSONEncoder):
+    """An encoder that produces JSON safe to embed in HTML.
+    To embed JSON content in, say, a script tag on a web page, the
+    characters &, < and > should be escaped. They cannot be escaped
+    with the usual entities (e.g. &amp;) because they are not expanded
+    within <script> tags.
+    This class also escapes the line separator and paragraph separator
+    characters U+2028 and U+2029, irrespective of the ensure_ascii setting,
+    as these characters are not valid in JavaScript strings (see
+    http://timelessrepo.com/json-isnt-a-javascript-subset).
+    """
+
+    def encode(self, o):
+        # Override JSONEncoder.encode because it has hacks for
+        # performance that make things more complicated.
+        chunks = self.iterencode(o, True)
+        if self.ensure_ascii:
+            return ''.join(chunks)
+        else:
+            return u''.join(chunks)
+
+    def iterencode(self, o, _one_shot=False):
+        chunks = super(JSONEncoderForHTML, self).iterencode(o, _one_shot)
+        for chunk in chunks:
+            chunk = chunk.replace('&', '\\u0026')
+            chunk = chunk.replace('<', '\\u003c')
+            chunk = chunk.replace('>', '\\u003e')
+
+            if not self.ensure_ascii:
+                chunk = chunk.replace(u'\u2028', '\\u2028')
+                chunk = chunk.replace(u'\u2029', '\\u2029')
+
+            yield chunk
+
+
+def json(value, default=custom_json, indent=None, sort_keys=False, cls=JSONEncoderForHTML):
+    return json_parser.dumps(value, default=default, cls=cls, sort_keys=sort_keys, indent=indent)
 
 def csv(value):
     return ''

From be81e69c2bd471d11f59a87d1ce9c1600a400a81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonel=20C=C3=A2mara?= <leonelcamara@gmail.com>
Date: Thu, 2 May 2019 16:21:34 +0100
Subject: [PATCH 2/2] fix tests for new json serializer

---
 gluon/tests/test_serializers.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gluon/tests/test_serializers.py b/gluon/tests/test_serializers.py
index 90157698..d3c2cb48 100644
--- a/gluon/tests/test_serializers.py
+++ b/gluon/tests/test_serializers.py
@@ -50,7 +50,8 @@ class TestSerializers(unittest.TestCase):
         lazy_translation = T('abc')
         self.assertEqual(json(lazy_translation), u'"abc"')
         # html helpers are xml()ed before too
-        self.assertEqual(json(SPAN('abc')), u'"<span>abc</span>"')
+        self.assertEqual(json(SPAN('abc'), cls=None), u'"<span>abc</span>"')
+        self.assertEqual(json(SPAN('abc')), u'"\\u003cspan\\u003eabc\\u003c/span\\u003e"')
         # unicode keys make a difference with loads_json
         base = {u'è': 1, 'b': 2}
         base_enc = json(base)