From 0d8f9db3fbeef93be194d386f87dea627f69715e Mon Sep 17 00:00:00 2001
From: Dan Palmer <dan@danpalmer.me>
Date: Thu, 30 Aug 2018 19:48:21 +0100
Subject: [PATCH] Pass options from the fragment, not the template context

---
 .../templates/graphene/graphiql.html          | 31 +++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/graphene_django/templates/graphene/graphiql.html b/graphene_django/templates/graphene/graphiql.html
index 5bc5e04a5..6515da828 100644
--- a/graphene_django/templates/graphene/graphiql.html
+++ b/graphene_django/templates/graphene/graphiql.html
@@ -100,22 +100,27 @@
     function updateURL() {
       history.replaceState(null, null, locationQuery(parameters));
     }
-    // Render <GraphiQL /> into the body.
-    ReactDOM.render(
-      React.createElement(GraphiQL, {
-        fetcher: graphQLFetcher,
+    // If there are any fragment parameters, confirm the user wants to use them.
+    if (Object.keys(parameters).length
+      && !window.confirm("An untrusted query has been loaded, continue loading query?")) {
+      parameters = {};
+    }
+    var options = {
+      fetcher: graphQLFetcher,
         onEditQuery: onEditQuery,
         onEditVariables: onEditVariables,
         onEditOperationName: onEditOperationName,
-        query: '{{ query|escapejs }}',
-        response: '{{ result|escapejs }}',
-        {% if variables %}
-        variables: '{{ variables|escapejs }}',
-        {% endif %}
-        {% if operation_name %}
-        operationName: '{{ operation_name|escapejs }}',
-        {% endif %}
-      }),
+        query: parameters.query,
+    }
+    if (parameters.variables) {
+      options.variables = parameters.variables;
+    }
+    if (parameters.operation_name) {
+      options.operationName = parameters.operation_name;
+    }
+    // Render <GraphiQL /> into the body.
+    ReactDOM.render(
+      React.createElement(GraphiQL, options),
       document.body
     );
   </script>