From 9f30bc8c4d6702a2e206fd8027443d2edafe4729 Mon Sep 17 00:00:00 2001
From: Ayala Shachar <shachar.ayala@gmail.com>
Date: Tue, 23 May 2017 10:24:52 -0700
Subject: Make tojson always safe (fix #709)

---
 jinja2/utils.py       | 2 +-
 tests/test_filters.py | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/jinja2/utils.py b/jinja2/utils.py
index b96d309..40c87ff 100644
--- a/jinja2/utils.py
+++ b/jinja2/utils.py
@@ -567,7 +567,7 @@ def htmlsafe_json_dumps(obj, dumper=None, **kwargs):
         .replace(u'>', u'\\u003e') \
         .replace(u'&', u'\\u0026') \
         .replace(u"'", u'\\u0027')
-    return rv
+    return Markup(rv)
 
 
 @implements_iterator
diff --git a/tests/test_filters.py b/tests/test_filters.py
index 318a347..ff94183 100644
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@@ -580,8 +580,9 @@ class TestFilter(object):
     def test_json_dump(self):
         env = Environment(autoescape=True)
         t = env.from_string('{{ x|tojson }}')
-        assert t.render(x={'foo': 'bar'}) == '{&#34;foo&#34;: &#34;bar&#34;}'
-        assert t.render(x='"bar\'') == r'&#34;\&#34;bar\u0027&#34;'
+        assert t.render(x={'foo': 'bar'}) == '{"foo": "bar"}'
+        assert t.render(x='"ba&r\'') == r'"\"ba\u0026r\u0027"'
+        assert t.render(x='<bar>') == r'"\u003cbar\u003e"'
 
         def my_dumps(value, **options):
             assert options == {'foo': 'bar'}
-- 
cgit v1.2.1