django escaping for html in json

I was going over my django site looking for xss problems. I figured I had it covered since django does auto escaping. So I put the usual alert('foo'); in sample data and I found a huge hole where I'm using ajax to pull data down as json and using jquery.append to add it, none of that is escaped for html, oops.

So my question is what is the best way to fix this:

• Use my own copy of simplejson that auto escapes based on a param.
• Just make sure I always use escape() when creating dicts th开发者_开发问答at are going to be json dumped
• Always use .text on the client side
• Something I haven't thought of

It seems like this is a pretty easy problem to get yourself into.

Do something that is obvious/transparent/automatic, like Joel suggested here: http://www.joelonsoftware.com/articles/Wrong.html

Still, I don't see how "alert('foo');" can be harmful when injected into HTML. What would be harmful is if it was surrounded by "< script />" tag.

And for escaping HTML, you have to figure out if you want to do this on input or on output. Depending on what you want to achieve (e.g. allow a subset of HTML tags) and taking performance issues into account, you might want to escape the input and store escaped HTML into database.